Existential Label Flow Inference via CFL Reachability∗

Polyvios Pratikakis Michael Hicks Jeffrey S. Foster

July, 2005

Abstract

Label flow analysis is a fundamental static analysis problem with a wide variety of appli-cations. Previous work by Mossin developed a polynomial time subtyping-based label flowinference that supports Hindley-Milner style polymorphism with polymorphic recursion. Re-hof et al have developed an efficient O(n3) inference algorithm for Mossin’s system based oncontext-free language (CFL) reachability. In this paper, we extend these results to a systemthat also supports existential polymorphism, which is important for precisely describing corre-lations among members of a structured type, even when values of that type are part of dynamicdata structures. We first develop a provably sound checking system based on polymorphically-constrained types. As usual, we restrict universal quantification to the top level of a type, butexistential quantification is first class, with subtyping allowed between existentials with the samebinding structure. We then develop a CFL-based inference system. Programmers specify whichpositions in a type are existentially quantified, and the algorithm infers the constraints boundin the type, or rejects a program if the annotations are inconsistent.

1 Introduction

Label flow analysis is a program analysis that attempts to answer queries of the form “Does thevalue of expression e1 flow to the value of expression e2?” Answering such queries has a largevariety of applications, including points-to analysis [1, 2], information flow [3], and type qualifierinference [4, 5].

Label flow analysis can be implemented as a type-based program analysis [6], in which static anal-ysis is defined in terms of type inference. In type-based label flow analysis, as in other type-basedanalyses, context sensitivity for functions corresponds to parametric (universal) polymorphism.Mossin [7] gave the first polynomial time algorithm for subtyping-based label flow inference withHindley-Milner style parametric polymorphism, including polymorphic recursion. Rehof et al [8, 9]showed how the label flow problem defined by Mossin could be reduced to the problem of context-free language (CFL) reachability. The resulting inference system runs in time O(n3), and follow-onwork (some of which is cited above) has shown it to be quite efficient and useful in practice.

In this work, we develop a new extension to CFL-based label flow inference that supportsexistential quantification [10]. Intuitively, universal polymorphism allows multiple calls to the samefunction to be distinguished, avoiding some spurious flows. However, universal polymorphism aidslittle in the analysis of data structures. For example, in label-flow based alias analysis, all elementsof the same data structure usually become conflated, resulting in a “blob” of indistinguishablepointers that reduces precision [11]. With existential quantification, we can express correlations∗University of Maryland, Computer Science Department Technical Report CS-TR-4700. This research was sup-

ported in part by NSF CCF-0346982 and CCF-0430118.

1

among members of a structured type, allowing us to model data structures much more preciselyin many useful cases. For example, existentials can be used to correlate an integer length with abuffer having that length [12], to correlate data with the lock that must be held when accessingthe data [13], or to correlate an environment with the closure that takes it as an argument [14].Such correlations are particularly important when the identity of individual data structure elementscannot be discerned, e.g., when they are stored within a tree or list, or when they are generatedbased on dynamic information. In such a setting, the precision afforded by universal quantificationis unavailable.

In the label flow systems presented in this paper, labels L are attached to types, as is stan-dard. For example, intL is the type of an integer with label L. We begin by presenting a soundsubtyping-based label-flow system in the style of Mossin that uses polymorphically constrained types(Section 3). For example, the identity function can be given the type ∀α, β[α ≤ β].intα → intβ .The subtyping constraint α ≤ β indicates that the label on the argument flows to the label on theresult. The key technical novelty is that we also allow existential polymorphism. For example, thetype ∃α, β[α ≤ β].intα × (intβ → intψ) describes a pair in which the first element flows to thedomain of the second element. In our system (as in Mossin’s system), universally-quantified typesobey a Hindley-Milner discipline, and hence they only appear in type environments. In contrast,existential types are first-class so that their values can be stored in variables and passed to func-tions. Subtyping is permitted between existentials with the same quantification structure (theymust have the same α-convertible quantified labels) but differing constraints. While this restrictionreduces the power of the system slightly, it aids in our inference algorithm.

We have proven that our polymorphically-constrained type system is sound (Appendix A), butsuch type systems are often awkward to implement efficiently in practice. Thus the second keycontribution of this work is the development of a label flow inference system (Section 4) based onCFL reachability and instantiation constraints, in the style of Rehof et al. In this system, subtypingconstraints no longer appear on types, but rather are stored “off-to-the-side.” Instantiation con-straints enable efficient inference of universally- and existentially-quantified types. In our system,functions can be parametric in their arguments except for existential packages, which are passedmonomorphically. To support inference, programmers provide annotations specifying which labelsin a type are existentially quantified, and our algorithm infers needed constraints. It is an openquestion whether an efficient algorithm exists that does not require programmer assistance. Ininference, we further require that existentially bound labels do not interact we free labels. Thisrequirement means that our inference system is slightly weaker than our checking system, but thusfar we have found it necessary to produce a correct inference algorithm.

We have proven that our CFL-based inference system is sound (Appendix B) by reducing itto the system based on polymorphically-constrained types. We also present an O(n3) inferencealgorithm that should be efficient in practice.

2 Overview

To understand the use of context-free language reachability for label flow, we review past workconcerning context-sensitivity via universal polymorphism. Then we sketch how we adapt thisscheme to support existential polymorphism as well.

2.1 Universal Polymorphism and Label Flow

Consider the following program:

2

let id = λa.a in(idi 1L1) +L3 ...;(idj 2L2) +L4 ...

Here we have annotated the values 1 and 2 with labels L1 and L2, and we have annotated the +operations with L3 and L4. Our goal is to determine which labeled values will reach or “flow to”each + operation. We perform a simple monomorphic (context-insensitive) flow analysis as follows.We extend the base type of id to a type intLa → intLr annotated with labels. Here La is thelabel on the argument a and Lr is the label on the return. The body of id returns its argument,which we express with a constraint La ≤ Lr. Thus there is “flow” from the label on any integer wepass into id to the integer returned by id. Whenever we call a function, we generate a constraintto capture the flow of values into and out of the function. Here at the first call to id (ignorethe superscript on id for now), we make two constraints: L1 ≤ La and Lr ≤ L3. Putting theseconstraints together with the previous one, we get

L1 ≤ La ≤ Lr ≤ L3

and thus by transitivity we know that L1 flows to L3—which answers the question, “What labeledintegers might the first argument of +L3 evaluate to?” We can also think of these constraints asedges in a directed graph, where the nodes of the graph are labels and if L ≤ L′ then there is anedge from L to L′. Thus the above set of constraints is a path through a graph:

id

LaL1 Lr L3

→

Here we have also included edges representing the type structure of id. We call such a graph a flowgraph.1

Notice that if we continue this process for the second call to id, we get sound but conservativeflow. The second call generates the constraints L2 ≤ La and Lr ≤ L4. Putting this together withthe previous constraints yields the following graph:

id

La

L1

L2

Lr

L3

L4

→

here we see that L2 flows to L4, which will happen at run time, but the graph also suggests thatL1 flows to L4 and L2 flows to L3, which cannot actually happen. The analysis has lost precisionby conflating the two calls together.

This loss of precision can be corrected by adding context sensitivity or universal polymorphism tothe analysis so that we can differentiate between the flow generated by each call to id. Formally, wecan give id a polymorphically constrained type ∀La,Lr[La ≤ Lr].intLa → intLr, meaning that whenthis function is called, it produces flow from La to Lr according to its actual arguments. Every timeid is called in the program body, its type and constraints are instantiated to that specific context inwhich it is called. At the call id1, we instantiate the constraint as {La ≤ Lr}[La 7→ L1, Lr 7→ L3],which yields the constraint L1 ≤ L3. At the call id2, we instantiate La to L2 and Lr to L4,yielding the constraint L2 ≤ L4. Since we made two copies of the constraints for the two different

1To aid clarity, we draw constraint graphs in color, so viewing the electronic version of this paper may be helpful.

3

calls, there is no longer any spurious flow. We have effectively inlined the constraints at each callsite.

While this technique is effective, it requires explicit constraint copying (to inline them at eachcall site), which can be difficult to implement, especially if we wish to support polymorphic re-cursion. An alternative technique is to label edges in the constraint graph and perform CFLreachability to compute flow, as suggested by Rehof et al [8, 9]. In this solution, we label edges atcall sites with parentheses indexed by the call. For the example program, we would produce thefollowing flow graph:

id

La

L1 (i

L2 (j

Lr

L3)i

L4)j

→

In this graph, normal flow is shown using unlabeled edges. Data flow for calls is modeled usingedges labeled with indexed parentheses. Here edges from the call idi are labeled with (i for inputsand )i for outputs, and similarly for the call idj . When we look for paths through the graph, weonly accept paths that do not have mismatched parentheses. In this case, the paths from L1 to L3and from L2 to L4 are matched, while the other paths are mismatched and hence not considered.Intuitively, they correspond to unrealizable call-return sequences [15]. The result is a system thatsupports universal polymorphism.

2.2 Existential Polymorphism and Label Flow

The contribution of this paper is to show how to encode existential quantification into CFL reach-ability graphs. As a result, we are able to model uses of certain data structures more precisely.Consider the example shown in Figure 1. In this program, we create two functions f and g thatadd an unspecified value to their argument. We have labeled the + operators in these functionswith labels L3 and L4, respectively. As usual, we wish to determine what integers may flow tothese operators, i.e., what integers are passed in as arguments a and b. In the third line of thisprogram we create existentially-quantified pairs using pack operations in which f is paired with 1(labeled L1) and g with 2 (labeled L2). Using an if, we then conflate these two pairs by bindingto p. In the last line we use p by applying its first component to its second component.2

Notice that in this case, no matter which pair p is assigned, the function f is only ever applied to1, and the function g is only ever applied to 2. Figure 1 also shows the constraint graph generatedfor this example program. Similarly to universal types, we model existential types using edgeslabeled with subscripted parentheses. In this case, when we pack the pair (f, 1), instead of normalflow edges we generate edges labeled by i-parentheses, and similarly we generate edges labeled withj-parentheses when we pack the pair (g, 2).

To compute the flow for this graph, we again propagate labels along paths with no mismatchedparentheses. For example, in this graph there is a path

L2→(j • → · · · → • →)j b→ L4

from which we can conclude that L2, i.e., the value 2, may flow to L4, i.e., the addition operationin g. There is similarly a path from L1 to L3.

2Our examples use pattern matching combined with unpack for simplicity of presentation, but the formal languagein Section 3 uses projection and unpack operators.

4

let f = λa.a+L3 · · · inlet g = λb.b+L4 · · · inlet p = if0 · · · thenpacki (f, 1L1)

elsepackj (g, 2L2) in

unpack (p1, p2) = p inp1 @ p2

∃ type∃ type

f

a

L3

int

• int

×

•

L1

)i(i

• int

×

•

p

g

b

L4

int

• int

•

L2

)j(j

×

Figure 1: Example Program and Flow Graph

e ::= nL | x | λLx.e | e1@Le2 | if0L e0 then e1 else e2 | (e1, e2)L | e.Lj| let f = e1 in e2 | fix f.e1 | f i | packL,i e | unpackL x = e1 in e2

L ::= 〈constant labels〉

Figure 2: Language Syntax

However, notice crucially that there is no path from L2 to L3. This corresponds to our ob-servation that f is never applied to 2. Similarly there is no path from L1 to L4. In a label flowsystem without existentials, the edges labeled with parentheses would have been unlabeled, result-ing in spurious flow. Thus in this case, existential quantification permits conflating two existentialpackages without losing precision about the use of their members.

Intuitively, for universal quantification, we were able to generalize the type of id because id ispolymorphic in the label it is called with—whatever it is called with, it returns. For this examplewith existential polymorphism, we could generalize the type of the pairs because the rest of theprogram is polymorphic in the pairs—whichever pair is used by the program, the first elementis always applied to the second. It is this duality that allows us to encode both universal andexistential polymorphism using the same technique.

3 Label Flow with Polymorphically Constrained Types

We begin studying label flow in the context of a traditional polymorphically-constrained typesystem Copy, which is Mossin’s label flow system extended to model existential types. Note thatour system supports label polymorphism but not polymorphism in the type structure.

Figure 2 shows the language used throughout the paper. In this language, constructors anddestructors are annotated with constant labels L. (In this system we write function applicationwith @ to provide a position on which to write a label.) The goal of our type system is todetermine which constructor labels flow to which destructor labels. For example, in the expression(λLx.e)@L′e′, the label L flows to the label L′. Expressions include binding constructs let andfix, which introduce universal polymorphism. Each use of a universally quantified function f i isindexed by an instantiation site i. Expressions also include existential packages, which are created

5

types τ ::= intl | τ →l τ | τ ×l τ | ∃l~α[C].τtype schemes σ ::= ∀~α[C].τlabels l ::= L | αconstraints C ::= ∅ | {l ≤ l} | C ∪ C

Figure 3: Copy type definitions

with indexed packi and consumed with unpack. Instantiation sites are ignored in this section, butare used in Section 4.

Figure 3 shows the types used in the Copy system, which include integers, functions, pairsand existentially quantified types. All types are annotated with flow labels l, which may be eitherconstant labels L from the program text or label variables α. Universally-quantified functions aregiven polymorphically-constrained types of the form ∀~α[C].τ . Here C is a set of flow constraintsof the form l ≤ l′. In our type rules, we also use substitutions φ that map label variables to labels.Intuitively, the type ∀~α[C].τ stands for any type φ(τ) where φ(C) is satisfied, for any substitutionφ. When l ≤ l′, we say that label l “flows to” label l′. The type ∃l~α[C].τ stands for the type φ(τ)where constraints φ(C) are satisfied, for some substitution φ. Universal quantification may onlyappear at the top-level while existential types may appear at any position in a type. We define thefree labels of types and environments as usual:

fl(intl) ::= {l}fl(τ1 →l τ2) ::= {l} ∪ fl(τ1) ∪ fl(τ2)fl(τ1 ×l τ2) ::= {l} ∪ fl(τ1) ∪ fl(τ2)

fl(∃l~α[C].τ) ::= {l} ∪ ((fl(τ) ∪ fl(C)) \ ~α)fl(Γ, f : ∀~α[C].τ) ::= fl(Γ) ∪ ((fl(τ) ∪ fl(C)) \ ~α)

fl(C ∪ {l ≤ l′}) ::= fl(C) ∪ {l, l′}fl(Γ, x : τ) ::= fl(Γ) ∪ fl(τ)

The expression typing rules are presented in Figures 4 and 5. Our system is essentially identicalto that of Mossin [7], with new rules for existentials. Judgments have the form C; Γ `cp e : τ ,meaning in type environment Γ with flow constraints C, expression e has type τ . In these typerules we use C ` l ≤ l′ to mean that the constraint l ≤ l′ is in the transitive closure of theconstraints in C. We write C ` C ′ to mean that constraints in C ′ are in the transitive closure ofC.

Figure 4 contains the monomorphic typing rules, which are as in the standard λ calculus exceptfor the addition of labels and subtyping. The constructor rules ([Int], [Lam], and [Pair]) requireC ` L ≤ l, i.e., the constructor label L must flow to the corresponding label of the constructedtype. The destructor rules ([Cond], [App], and [Proj]) require the converse. The subtyping rule[Sub] is discussed below.

Figure 5 contains the polymorphic typing rules. Universal polymorphism is introduced in [Let]and [Fix]. As is standard, we allow generalization only of label variables that are not free in thetype environment Γ. Notice that in both these rules, the constraints C ′ that we use to type checke1 become the bound constraints in the polymorphic type. Whenever a variable with a universallyquantified type is used in the program text, its type is instantiated. The [Inst] rule can only beapplied if the instantiation C ′[~α 7→ ~l] of the polymorphic type’s constraints is included in the currentflow constraints C at that point.

6

IdC; Γ, x : τ `cp x : τ

IntC ` L ≤ l

C; Γ `cp nL : intl

LamC; Γ, x : τ `cp e : τ ′ C ` L ≤ l

C; Γ `cp λLx.e : τ →l τ ′App

C; Γ `cp e1 : τ →l τ ′

C; Γ `cp e2 : τ C ` l ≤ LC; Γ `cp e1@Le2 : τ ′

Pair

C; Γ `cp e1 : τ1 C; Γ `cp e2 : τ2

C ` L ≤ lC; Γ `cp (e1, e2)L : τ1 ×l τ2

Proj

C; Γ `cp e : τ1 ×l τ2

C ` l ≤ L j = 1, 2C; Γ `cp e.Lj : τj

Cond

C; Γ `cp e0 : intl C ` l ≤ LC; Γ `cp e1 : τ C; Γ `cp e2 : τ

C; Γ `cp if0L e0 then e1 else e2 : τSub

C; Γ `cp e : τ1

C; ∅ ` τ1 ≤ τ2

C; Γ `cp e : τ2

Figure 4: Copy Monomorphic Rules

Existentially quantified types are manipulated using pack and unpack. Since these existen-tial packages are passed around the program, we label them with concrete labels L as with otherconstructors and destructors. To understand [Pack] and [Unpack], recall that ∀ and ∃ are dualnotions. Notice that ∀ introduction ([Let]) restricts what can be universally quantified, and instan-tiation occurs at ∀ elimination ([Inst]). Thus intuitively, ∃ introduction ([Pack]) should performinstantiation, and ∃ elimination ([Unpack]) should restrict what can be existentially quantified.

In the rule [Pack], an expression e with a concrete type τ [~α 7→ ~l] is abstracted to a type ∃l~α[C ′].τ .The constraint system C ′ bound in the existential type is expressed over the quantified variables~α. Intuitively, these constraints C ′ are determined by how the existential package is used. [Pack]can only be applied if the current constraint system C entails the abstract constraints C ′ mappedback to concrete labels ~l.

In the rule [Unpack], we bind the contents of the type to x in the scope of e2. This ruleplaces two restrictions on the existential package. First, we must be able to type check e2 with theconstraints C ′ ∪C. Thus, any constraints among the existentially bound labels ~α that are requiredby e2 must be in C ′. Second, we require that the labels ~α do not escape the scope of the unpack,which is ensured by the subset constraint in this rule.

We could have chosen slightly different rules for [Let] and [Unpack] and still produced a soundsystem. In particular, we could have used the rules in Figure 6, in which we allow a union in [Let]but forbid quantification over fl(C), and we disallow a union in [Unpack] but allow quantificationover fl(C). Any combination of these possibilities is sound. However, it turns out that the rules inFigure 5 are most useful in proving that our CFL-based inference is sound.

The [Sub] rule in Figure 4 uses the subtyping relation shown in Figure 7. In these judgments,D is a map from labels to integer depths, which are initially empty by [Sub]. This mapping isused when subtyping existentials. Aside from these, [Sub-Int], [Sub-Pair], and [Sub-Fun] are allstandard. In the rule [Sub-∃], we allow one existential to subtype another only if they have thesame binding shape. In this rule, we update D so that bound variables in ~α are given their previousdepth plus one. For example, within the existential ∃l{l2}[∅].(intl1 , intl2) we have D(l1) = 0 andD(l2) = 1, assuming that their starting depths are zero. In rule [Sub-Label-1] we allow subtyping

7

[Let]

C ′; Γ `cp e1 : τ1 C; Γ, f : ∀~α[C ′].τ1 `cp e2 : τ2

~α ⊆ (fl(τ1) ∪ fl(C ′)) \ fl(Γ)C; Γ `cp let f = e1 in e2 : τ2

[Fix]

C ′; Γ, f : ∀~α[C ′].τ `cp e : τ C ` C ′[~α 7→ ~l]~α ⊆ (fl(τ) ∪ fl(C ′)) \ fl(Γ)

C; Γ `cp fix f.e : τ [~α 7→ ~l]

[Inst]C ` C ′[~α 7→ ~l]

C; Γ, f : ∀~α[C ′].τ `cp f i : τ [~α 7→ ~l]

[Pack]C; Γ `cp e : τ [~α 7→ ~l] C ` C ′[~α 7→ ~l] C ` L ≤ l

C; Γ `cp packL,i e : ∃l~α[C ′].τ

[Unpack]

C; Γ `cp e1 : ∃l~α[C ′].τ C ` l ≤ LC ∪ C ′; Γ, x : τ `cp e2 : τ ′

~α ⊆ (fl(τ) ∪ fl(C ′)) \ (fl(Γ) ∪ fl(C) ∪ fl(τ ′))

C; Γ `cp unpackL x = e1 in e2 : τ ′

Figure 5: Copy Polymorphic Rules

among labels only if they both have depth 0, i.e., they are not bound in existential types. The rule[Sub-Label-2] applies to bound variables, and it requires that they are bound at the same depthand are identical. Intuitively, a type with flow constraints C1 can be used in any position expectingthe same or fewer flows between labels. Thus the rule [Sub-∃] also requires C1 ` C2, meaning theconstraints C1 entail the constraints C2, or every constraint in C2 is implied by C1.

These restrictions forbid some clearly erroneous subtyping judgments such as

C ` ∃∅[∅].(intl, intl) ≤ ∃{l}[∅].(intl, intl)

This example should not be allowed to check in any context, because it would create a constraintbetween a bound label and an unbound label. However, these restrictions also forbid some validexistential subtyping, and it is an open question whether they can be relaxed while still maintainingefficient CFL reachability-based inference.

We prove soundness for Copy using a standard subject-reduction proof. We begin by defininga standard operational semantics e −→ e′, shown in Figure 8. We assume that all input programsare well-typed with respect to the standard types; hence they can never go wrong in our semantics.We wish to prove that, for any destructor that consumes a value, the actual constructor label thatis consumed appears in the set of labels computed by the analysis. If the program is in normalform this is trivial, because there are no more evaluation steps. Hence we prove this statementbelow for the case when the program takes a single step.

Definition 1 Suppose e −→ e′ and in the (single step) reduction, the destructor (if0, @, .j,unpack) labeled L′ consumes the constructor (n, λ, (·, ·), pack, respectively), labeled L. Then wewrite C ` e −→ e′ if C ` L ≤ L′. We also write C ` e −→ e′ if no value is consumed duringreduction (i.e., for let or fix).

8

[Let′]

C ∪ C ′; Γ `cp e1 : τ1 C; Γ, f : ∀~α[C ′].τ1 `cp e2 : τ2

~α ⊆ (fl(τ1) ∪ fl(C ′)) \ (fl(Γ) ∪ fl(C))C; Γ `cp let f = e1 in e2 : τ2

[Unpack′]

C; Γ `cp e1 : ∃l~α[C ′].τ C ` l ≤ LC ′; Γ, x : τ `cp e2 : τ ′

~α ⊆ (fl(τ) ∪ fl(C ′)) \ (fl(Γ) ∪ fl(τ ′))

C; Γ `cp unpackL x = e1 in e2 : τ ′

Figure 6: Alternative Copy Polymorphic Rules

[Sub-Label-1]

D(l) = D(l′) = 0C ` l ≤ l′

C;D ` l ≤ l′[Sub-Pair]

C;D ` l ≤ l′C;D ` τ1 ≤ τ ′1C;D ` τ2 ≤ τ ′2

C;D ` τ1 ×l τ2 ≤ τ ′1 ×l′τ ′2

[Sub-Label-2]D(l) > 0

C;D ` l ≤ l [Sub-Fun]

C;D ` l ≤ l′C;D ` τ ′1 ≤ τ1

C;D ` τ2 ≤ τ ′2C;D ` τ1 →l τ2 ≤ τ ′1 →l′ τ ′2

[Sub-Int]C;D ` l ≤ l′

C;D ` intl ≤ intl′[Sub-∃]

C1 ` C2

D′ = D[l 7→ D(l) + 1,∀l ∈ ~α]C;D′ ` τ1 ≤ τ2

C;D ` l1 ≤ l2C;D ` ∃l1~α[C1].τ1 ≤ ∃l2~α[C2].τ2

Figure 7: Copy Subtyping

Theorem 2 (Soundness) If C; Γ `cp e : τ and e −→∗ e′, then C ` e −→∗ e′.

The proof is by induction on the derivation of C; Γ `cp e : τ , and appears in Appendix A.

4 CFL-Based Label Flow Inference

Next, we present a label flow inference system CFL in the style of Rehof et al [8, 9]. In thissystem, constraints C no longer appear on quantified types. Rather, they are collected, alongwith instantiation constraints I, into a single inferred flow graph, such as the one shown earlier inFigure 1. We answer flow queries “Does any value at program point l1 flow to program point l2?”,which we write l1 l2, using CFL reachability queries on the flow graph.

We assume that the input program is well-typed with respect to standard types, and thatinstantiation indices i are unique per packi or f i. We also implicitly assume that the programmerhas decided which labels should be quantified for each existential type. The algorithm then infersthe equivalent of the constraints C from Copy as part of the flow graph.

9

(β) (λLx.e)@L′e′ −→ e[x 7→ e′](δ-if) if0L

′0L then e1 else e2 −→ e1

if0L′nL then e1 else e2 −→ e2 n 6= 0

(δ-pair) (e1, e2)L .L′j −→ ej j ∈ {1, 2}

(δ-let) let f = e′ in e −→ e[f 7→ e′](δ-exist) unpackL

′x = (packL,i e) in e′ −→ e′[x 7→ e]

(δ-fix) fix f.e −→ e[f 7→ fix f.e]

(Context)e1 −→ e2

E[e1] −→ E[e2]

E ::= [] | λLx.E | E@Le | e@LE | fix f.E

| if0L E then e else e′ | if0L e then E else e′

| if0L e then e′ else E | (E, e)L | (e,E)L | E.Lj| let f = E in e | let f = e in E| packL,i E | unpackL x = E in e | unpackL x = e in E

Figure 8: Operational Semantics

Types in CFL are given by

types τ ::= intl | τ →l τ | τ ×l τ | ∃l~α.τtype schemes σ ::= (∀~α.τ,~l)labels l ::= L | α

In contrast to Copy, polymorphic types do not include a constraint set. Universal types, however,include a set ~l of labels that should not be quantified in the type. In fact, we could omit the ~αcompletely, since for inference we can always choose for a type (∀~α.τ,~l) that ~α = fl(τ) \~l, but weleave in ~α to make proofs slightly easier. For existential types, we do not include a set ~l, because weassume that the programmer has specified which labels are existentially quantified. We will checkto see that the specification is correct when existentials are unpacked.

We write our inference rules in a style similar to checking rules but interpret them differently. Aconstraint C ` l ≤ l′ means that l ≤ l′ should be added to C. In addition to subtyping constraints,our inference system generates a set I of instantiation constraints of the form l �ip l′ [8]. Thisconstraint indicates that l has been renamed to l′ at instantiation site i; these are introduced bypacks and universal type instantiations and are the source of context-sensitivity in label flow. Thep indicates a polarity, which relates to the flow of data. In particular, when p is + then l flows tol′; when p is − then l′ flows to l. Therefore, in our examples (Figure 1 and Figure 13), we draw a

constraint l �i+ l′ as an edge l)i−→ l′, and we draw a constraint l �i− l′ as an edge l′

(i−→ l. In ourrules we write I ` l �ip l′ to mean the constraint l �ip l′ should be added to I.

Judgments in CFL have the form I;C; Γ ` e : τ . The base monomorphic rules for our systemare presented in Figure 9. In these rules, free occurrences of l should be treated as generation of afresh label variable. For example, in [Int], we choose l to be a fresh variable α. In [Lam], we pick atype τ with fresh label variables in every position. Otherwise, these rules are similar to Figure 4.

Figure 10 presents our polymorphic inference rules. We define fl(τ) to be the free labels of a

10

[Id]I;C; Γ, x : τ `CFL x : τ

[Int]C ` L ≤ l

I;C; Γ `CFL nL : intl

[Lam]I;C; Γ, x : τ `CFL e : τ ′ C ` L ≤ l

I;C; Γ `CFL λLx.e : τ →l τ ′[App]

I;C; Γ `CFL e1 : τ →l τ ′

I;C; Γ `CFL e2 : τC ` l ≤ L

I;C; Γ `CFL e1@Le2 : τ ′

[Pair]

I;C; Γ `CFL e1 : τ1 I;C; Γ `CFL e2 : τ2

C ` L ≤ lI;C; Γ `CFL (e1, e2)L : τ1 ×l τ2

[Proj]

I;C; Γ `CFL e : τ1 ×l τ2

C ` l ≤ L j = 1, 2I;C; Γ `CFL e.Lj : τj

[Cond]

I;C; Γ `CFL e0 : intl C ` l ≤ LI;C; Γ `CFL e1 : τ I;C; Γ `CFL e2 : τI;C; Γ `CFL if0L e0 then e1 else e2 : τ

[Sub]

I;C; Γ `CFL e : τ1

C; ∅; ∅ ` τ1 ≤ τ2

I;C; Γ `CFL e : τ2

Figure 9: CFL Monomorphic Rules

type as usual, except fl((∀~α.τ,~l) = (fl(τ) \ ~α) ∪~l:

fl(intl) = {l}fl(τ1 →l τ2) = fl(τ1) ∪ fl(τ2) ∪ {l}fl(τ1 ×l τ2) = fl(τ1) ∪ fl(τ2) ∪ {l}

fl(∃l~α.τ ) = (fl(τ) \ ~α) ∪ {l}fl(Γ, f : (∀~α.τ,~l)) = fl(Γ) ∪ (fl(τ) \ ~α) ∪~l

fl(Γ, x : τ) = fl(Γ) ∪ fl(τ)

In rules [Let] and [Fix], we bind a variable f to a universally quantified type. As is standard wecannot quantify label variables that are free in the environment Γ, and we represent this fact bysetting ~l = fl(Γ) in the type (∀~α.τ1,~l). The [Inst] rule instantiates the type of f by creating a copyτ ′ of τ with fresh label variables and generating an instantiation constraint τ �i+ τ ′. Intuitively,the instantiation constraint defines a renaming φ such that φ(τ) = τ ′. All non-quantifiable labels,i.e., all labels in ~l, should not be instantiated, which we model by requiring that any such labelinstantiate to itself.

In [Pack], an existential type is constructed by abstracting a concrete type τ ′ to abstract typeτ . In Copy’s [Pack], there is a substitution such that τ ′ = τ [~α 7→ ~l]. In CFL’s [Pack], we expressthis with an instantiation constraint I; ∅; ∅ ` τ �i− τ ′, similarly to [Inst]. Notice that the directionof the renaming here is opposite the direction of flow: The labels in τ ′ flow to the labels of τ , but τis instantiated to τ ′. Hence the instantiation has negative polarity. As another intuition, packinga type into an existential corresponds to passing an argument to “the rest of the program,” as ifthat was universally quantified, which implies negative instantiation.

We implicitly assume that the programmer has picked the set ~α in this rule. In contrast to[Inst], we do not generate any self-loops in [Pack], because we enforce a stronger restriction forescaping variables in [Unpack].

Finally, in Copy’s [Pack] rule, we also require that the packed type satisfies C ` C ′[~α 7→ ~l],where C ′ are the constraints induced by uses of the existential package (i.e., within the scope of

11

[Let]

I;C; Γ `CFL e1 : τ1 I;C; Γ, f : (∀~α.τ1,~l) `CFL e2 : τ2

~α = fl(τ1) \~l ~l = fl(Γ)I;C; Γ `CFL let f = e1 in e2 : τ2

[Fix]

I;C; Γ, f : (∀~α.τ,~l) `CFL e : τ ~α = fl(τ) \ fl(Γ) ~l = fl(Γ)I; ∅; ∅ ` τ �i+ τ ′ : φ dom(φ) = ~α I ` ~l �i+ ~l I ` ~l �i− ~l

I;C; Γ `CFL fix f.e : τ ′

[Inst]

I; ∅; ∅ ` τ �i+ τ ′ : φdom(φ) = ~α I ` ~l �i+ ~l I ` ~l �i− ~l

I;C; Γ, f : (∀~α.τ,~l) `CFL f i : τ ′

[Pack]

I;C; Γ `CFL e : τ ′ I; ∅; ∅ ` τ �i− τ ′ : φdom(φ) = ~α C ` L ≤ lI;C; Γ `CFL packL,i e : ∃l~α.τ

[Unpack]

I;C; Γ `CFL e1 : ∃l~α.τ I;C; Γ, x : τ `CFL e2 : τ ′~l = fl(Γ) ∪ fl(∃l~α.τ ) ∪ fl(τ ′) ∪ L ~α ⊆ fl(τ) \~l C ` l ≤ L

∀l ∈ ~α, l′ ∈ ~l.(I;C 6 `l m l′ and I;C 6 `l′ m l)

I;C; Γ `CFL unpackL x = e1 in e2 : τ ′

Figure 10: CFL Polymorphic Rules

the unpacks it flows to). Here we need not generate such a constraint explicitly, just as we did notgenerate such constraints in [Inst].

In [Unpack], the abstract existential type is treated as a concrete type for the scope of theunpack. As usual for existential types, no abstract label may escape, or it will break the abstraction.The last hypothesis of [Unpack] enforces a strong restriction so that not only may abstract labelsnot escape, but they may not constrain any escaping labels in any way. We express this restrictionby requiring that there are no matched flows (see below) between any labels in ~α and any labels in~l, which is the set of labels that escape. This includes free labels of the environment Γ, free labelsof the existential type that is unpacked ∃l~α.τ , free labels of the result type τ ′, and constants L.

The subtyping relation used in [Sub] is defined in Figure 11. Subtyping judgments have theform C;D1;D2 ` τ1 ≤ τ2. In these rules, D1 and D2 are sequences that are used to ensure thatlabels in corresponding positions in τ1 and τ2 are existentially quantified identically, in the samesense as Figure 7. In [Sub-∃], each time we recurse under an existential we add ~αi (the variablesbound in the existential) to Di. In [Sub-Index-1], we allow constraints between arbitrary labelswhen the Di are empty. However, in [Sub-Index-2], we allow subtyping among labels that appearin the Di only if they appear in the exactly the same positions. (Notice that we treat ~α as anordered sequence.) Intuitively, this subtyping in [Sub-Index-2] corresponds to alpha-renaming ofexistentially bound variables. The remainder of the rules are standard.

Figure 12 defines the instantiation of an abstract type to a concrete type. Judgments havethe form I;D ` τ �ip τ ′. Intuitively, the D has the same form as the Di in Figure 11, but we

12

[Sub-Index-1]C ` l ≤ l′

C; ∅; ∅ ` l ≤ l′

[Sub-Index-2]C ` lj ≤ l′j

C;D1 ⊕ {l1, . . . , ln};D2 ⊕ {l′1, . . . , l′n} ` lj ≤ l′j

[Sub-Index-3]C;D1;D2 ` l ≤ l′ l 6= li l′ 6= l′j ∀i, j ∈ [1..n]

C;D1 ⊕ {l1, . . . , ln};D2 ⊕ {l′1, . . . , l′n} ` l ≤ l′

[Sub-Int]C;D1;D2 ` l ≤ l′

C;D1;D2 ` intl ≤ intl′

[Sub-Pair]

C;D1;D2 ` l ≤ l′C;D1;D2 ` τ1 ≤ τ ′1C;D1;D2 ` τ2 ≤ τ ′2

C;D1;D2 ` τ1 ×l τ2 ≤ τ ′1 ×l′τ ′2

[Sub-Fun]

C;D1;D2 ` l ≤ l′C;D1;D2 ` τ ′1 ≤ τ1

C;D1;D2 ` τ2 ≤ τ ′2C;D1;D2 ` τ1 →l τ2 ≤ τ ′1 →l′ τ ′2

[Sub-∃]

D′1 = D1 ⊕ ~α1 D′2 = D2 ⊕ ~α2 φ( ~α2) = ~α1

C;D′1;D′2 ` τ1 ≤ τ2 C;D1;D2 ` l1 ≤ l2C;D1;D2 ` ∃l1 ~α1.τ1 ≤ ∃l2 ~α2.τ2

Figure 11: CFL Subtyping

only require one such list of vectors because we do not permit alpha renaming at instantiations.Alpha-renaming of existentials can always be accomplished by applying [Sub] before or after aninstantiation.

The rules for integers, pairs, and functions are standard [8]. The polarity p is used to trackthe direction of data flow across the renaming of τ to τ ′. Function arguments are treated con-travariantly; the notation p flips the polarity of p in [Inst-Fun]. Notice that we flip p but not theinstantiation direction, which follows because intuitively we are constructing a renaming from theleft-hand side of the instantiation constraint to the right-hand side, and we do not flip the directionof renaming under a function arrow. [Inst-∃] constructs D as [Sub-∃] in Figure 11.

Notice that rule [Inst-Index-2] prevents existentially bound labels from being instantiated. Thisrestriction enables us to work with the standard CFL reachability grammar, but it does meanthat existentials are always treated non-context sensitively in function calls. Figure 13 shows oneexample of this. In this program we pack two pairs. We can see that it is safe to quantify onlythe first element of both pairs, because the second element of p escapes the unpack. Thus the firstelement only is instantiated at the pack. However, notice that because the second element is notexistentially quantified, it can be universally quantified when passed to the function.

Once we have generated constraints, we apply the rules in Figure 14 to close the constraint

13

[Inst-Index-1]I ` l �ip l′ {(l, l′)} ∈ φ

I; ∅ ` l �ip l′ : φ

[Inst-Index-2]I;D ⊕ {l1, . . . , ln} ` lj �ip lj : ∅

[Inst-Index-3]I;D ` l ≤ l′ : φ l, l′ 6= li ∀i ∈ [1..n]

I;D ⊕ {l1, . . . , ln} ` l �ip l′ : φ

[Inst-Int]I;D ` l �ip l′ : φ

I;D ` intl �ip intl′

: φ

[Inst-Pair]

I;D ` l �ip l′ : φI;D ` τ1 �ip τ ′1 : φ I;D ` τ2 �ip τ ′2 : φ

I;D ` τ1 ×l τ2 �ip τ ′1 ×l′τ ′2 : φ

[Inst-Fun]

I;D ` l �ip l′ : φI;D ` τ1 �ip τ ′1 : φ I;D ` τ2 �ip τ ′2 : φ

I;D ` τ1 →l τ2 �ip τ ′1 →l′ τ ′2 : φ

[Inst-∃]D′ = D ⊕ ~α I;D′ ` τ1 �ip τ2 : φ I;D ` l1 �ip l2 : φ

I;D ` ∃l1~α.τ1 �ip ∃l2~α.τ2 : φ

Figure 12: CFL Instantiation

graph. Here the m subscript indicates matched paths. (Rehof et al also include additional pathsthat contain unmatched but no mismatched edges. However, here we concern ourselves only withconstants, which always produce matched paths.) Rule [Level] states that constraints in C corre-spond to flow (these are represented as unlabeled edges in the graph). Rule [Trans] adds transitiveclosure. Rule [Constant] adds a self-loop for every constant label in the program; intuitively wegenerate these edges because constants are global names. Finally, rule [Match] corresponds tomatched paths

l0(i→ l1 → l2

)i→ l3

Using these rules, the flow of constructors to destructors is defined as L flows to L′ if I;C ` L m L′.After we apply these rules, we also need to check the reachability condition in [Unpack]

The complexity of applying the CFL rules is relative to the size of the derivation. Let n bethe size of the type-annotated program. Then aside from the extra side conditions in [Unpack] andthe D’s in [Sub] and [Inst], the result of Rehof et al shows that applying the rules and computingall flows takes time O(n3) [8]. To implement [Sub-Index-i] efficiently, rather than maintaining Dsets explicitly and repeatedly traversing them, we temporarily mark each variable with a pair (i, j)indicating its position in D and its position in ~α as we traverse an existential type. We can assumewithout loss of generality that |~α| ≤ |fl(τ)| in an existential type, so traversing ~α does not increasethe complexity. Then we can select among [Sub-Index-1] and [Sub-Index-2] in constant time for

14

let id = λa.a inlet p = packi (1L1, 2L2) inlet z =

(unpack (x, y) = p in y) inlet q = packj (3L3, 4L4) inlet w = idk @ p inidl @ q

∃ type∃ type

∃ type∃ type

∃ type

•

×

•

L2

•

×

•

→ id

p

L1

(i

∃ type

•

×

•

L4

q

L3

(j

•

×

•

•

×

•

→id k

•

×

•

(k

)k

to id l call

to id l call

a

Figure 13: Comparison of Universal and Existential Quantification

[Level]C ` l1 ≤ l2

I;C ` l1 m l2[Trans]

I;C ` l0 m l1 I;C ` l1 m l2I;C ` l0 m l2

[Constant]I;C ` L �ip L

[Match]I ` l1 �i− l0 I;C ` l1 m l2 I ` l2 �i+ l3

I;C ` l0 m l3

Figure 14: Flow

each constraint C;D1;D2 ` l ≤ l′, so this does not affect the running time, and similarly for[Inst-Index-i].

Once we have computed all flows, we can easily check the side condition of [Unpack] by walkingthrough the labels in ~α and checking for paths to ~l and vice-versa. Since each set is of size O(n),this takes O(n2) time, and since there are O(n) uses of [Unpack], in total this takes O(n3) time.Thus the algorithm as a whole is O(n3) +O(n3) = O(n3).

We have proven that programs that check under CFL are reducible to Copy in Appendix B.

Theorem 3 (Reduction from CFL to Copy) Let D be a normal CFL derivation of I;C; Γ `CFLe : τ . Let CI = {l1 ≤ l2 | I;C ` l1 m l2}. Then given a particular translation function ΨC,I , it isthe case that CI ; ΨC,I(Γ) `cp e : ΨC,I(τ).

Proof: Theorem 37 shows the reduction under a subset CIfl(Γ)∪fl(τ) of CI , and then Lemma 6shows that we can prove the same statement under CI .

�

5 Related Work

As stated in the introduction, our work builds directly on the CFL reachability-based label flowsystem of Rehof et al [8]. Their cubic-time algorithm for polymorphic recursive label flow inference

15

improves on the previously best-known O(n8) algorithm [7]. The idea of using CFL reachability instatic analysis is due to Reps et al [15], who applied it to lower-order data flow analysis problems.

Existential types can be encoded in System F [16] (p. 377), in which polymorphism is first class.Wells showed that type inference for System F is undecidable [17]. There have been several proposalsto support first-class polymorphic type inference using type annotations to avoid the undecidabilityproblem. In MLF [18], programmers annotate function arguments that have universal types. Lauferand Odersky [19] propose an extension to ML with first-class existential types, and Remy [20]similarly proposes an extension with first-class universal types. In both systems, the programmermust explicitly list which type variables to quantify. Existential packs and unpacks correspondto data structure construction and pattern matching, and hence are determined by the programtext. In our system, we also require the programmer to specify packs and unpacks as well aswhich variables are quantified, but in contrast to these three systems we support subtyping (andtherefore we need polymorphically constrained types), rather than unification. Note that oursolution is restricted to label flow, and only existential types are first-class (but adding first-classuniversals with programmer-specified quantification would be straightforward). We believe fullfirst-class polymorphic type inference for label flow is decidable, although we do not have a proof.

Simonet [21] extends HM(X) [22], a generic constraint-based type inference framework, to in-clude first-class existential and universal polymorphism with subtyping. Simonet requires the pro-grammer to specify the polymorphically constrained type, including the subtyping constraints C,whereas we infer these (note that we assume we have the whole program). Another key differenceis that we use CFL reachability for inference. Once again, however, our system is concerned onlywith label flow.

In ours and the above systems, both quantification and pack and unpack must be specifiedmanually. Ideally, an inference algorithm requires no work from the programmer. For example, wecould envision a system in which all pairs and their uses are considered as candidate existentialtypes, and the algorithm chooses to quantify only those labels that lead to a minimal flow in thegraph. It is an open problem for our system whether such an algorithm exists that is efficient.

6 Conclusion

We have presented two systems for label flow inference that support Hindley-Milner style poly-morphism with polymorphic recursion and first-class existential quantification. The system Copy

models label flow using polymorphically constrained types in the style of Mossin [7], while ourinference system CFL is based on CFL reachability, in the style of Rehof et al [8]. Programmersspecify where existentials are introduced and eliminated, and our inference algorithm automaticallyinfers the bounds on their flow, which improves on past work. Our aim is to set a firm theoreticalfoundation on which to build efficient program analyses that benefit from existential quantification.We believe existential quantification is crucial for supporting efficient modeling of dynamic datastructures.

References

[1] Fahndrich, M., Rehof, J., Das, M.: Scalable Context-Sensitive Flow Analysis using Instanti-ation Constraints. In: Proceedings of the 2000 ACM SIGPLAN Conference on ProgrammingLanguage Design and Implementation, Vancouver B.C., Canada (2000) 253–263

16

[2] Das, M., Liblit, B., Fahndrich, M., Rehof, J.: Estimating the Impact of Scalable Pointer Anal-ysis on Optimization. In Cousot, P., ed.: Static Analysis, Eighth International Symposium.Volume 2126 of Lecture Notes in Computer Science., Paris, France, Springer-Verlag (2001)260–278

[3] Myers, A.C.: Practical Mostly-Static Information Flow Control. In: Proceedings of the 26thAnnual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, SanAntonio, Texas (1999) 228–241

[4] Kodumal, J., Aiken, A.: The Set Constraint/CFL Reachability Connection in Practice. In:Proceedings of the 2004 ACM SIGPLAN Conference on Programming Language Design andImplementation, Washington, DC (2004) 207–218

[5] Johnson, R., Wagner, D.: Finding User/Kernel Bugs With Type Inference. In: Proceedingsof the 13th Usenix Security Symposium, San Diego, CA (2004)

[6] Palsberg, J.: Type-based analysis and applications. In: Proceedings of the ACM SIG-PLAN/SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, Snow-bird, Utah (2001) 20–27

[7] Mossin, C.: Flow Analysis of Typed Higher-Order Programs. PhD thesis, DIKU, Departmentof Computer Science, University of Copenhagen (1996)

[8] Rehof, J., Fahndrich, M.: Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability. In: Proceedings of the 28th Annual ACM SIGPLAN-SIGACT Symposium onPrinciples of Programming Languages, London, United Kingdom (2001) 54–66

[9] Fahndrich, M., Rehof, J., Das, M.: From Polymorphic Subtyping to CFL Reachability:Context-Sensitive Flow Analysis Using Instantiation Constraints. Technical Report MS-TR-99-84, Microsoft Research (2000)

[10] Mitchell, J.C., Plotkin, G.D.: Abstract types have existential type. ACM Transactions onProgramming Languages and Systems 10 (1988) 470–502

[11] Das, M.: Unification-based Pointer Analysis with Directional Assignments. In: Proceedings ofthe 2000 ACM SIGPLAN Conference on Programming Language Design and Implementation,Vancouver B.C., Canada (2000) 35–46

[12] Xi, H., Pfenning, F.: Dependent Types in Practical Programming. In: Proceedings of the26th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages,San Antonio, Texas (1999) 214–227

[13] Flanagam, C., Abadi, M.: Types for Safe Locking. In Swierstra, D., ed.: 8th European Sym-posium on Programming. Volume 1576 of Lecture Notes in Computer Science., Amsterdam,The Netherlands, Springer-Verlag (1999) 91–108

[14] Minamide, Y., Morrisett, G., Harper, R.: Typed closure conversion. In: Proceedings of the23rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages,St. Petersburg Beach, Florida (1996) 271–283

[15] Reps, T., Horwitz, S., Sagiv, M.: Precise Interprocedural Dataflow Analysis via Graph Reacha-bility. In: Proceedings of the 22nd Annual ACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages, San Francisco, California (1995) 49–61

17

[16] Pierce, B.C.: Types and Programming Languages. The MIT Press (2002)

[17] Wells, J.B.: Typability and type checking in System F are equivalent and undecidable. Ann.Pure Appl. Logic 98 (1999) 111–156

[18] Botlan, D.L., Remy, D.: MLF—Raising ML to the Power of System F. In: Proceedings ofthe eighth ACM SIGPLAN International Conference on Functional Programming, Uppsala,Sweden (2003) 27–38

[19] Laufer, K., Odersky, M.: Polymorphic type inference and abstract data types. ACM Transac-tions on Programming Languages and Systems 16 (1994) 1411–1430

[20] Remy, D.: Programming objects with MLART: An extension to ML with abstract and recordtypes. In: Proceedings of theInternational Symposium on Theoretical Aspects of ComputerScience, Sendai, Japan (1994) 321–346

[21] Simonet, V.: An Extension of HM(X) with Bounded Existential and Universal Data Types.In: Proceedings of the eighth ACM SIGPLAN International Conference on Functional Pro-gramming, Uppsala, Sweden (2003) 39–50

[22] Odersky, M., Sulzmann, M., Wehr, M.: Type inference with constrained types. Theory andPractice of Object Systems 5 (1999) 35–55

A Proof of Soundness for Copy

We prove soundness for Copy using a standard subject-reduction style approach. We begin byproving a number of helpful lemmas. First, we need to show that it is sound in several placesto weaken a constraint system C to a constraint system C ′ where C ′ ` C. Intuitively this holdsbecause C ′ contains all the “flows” of C, hence all typing judgments are preserved.

Lemma 4 If C ′ ` C then C;D ` l ≤ l′ implies C ′;D ` l ≤ l′

Proof: By definition, C ′ ` C requires C ⊆ C ′. There are two possible ways we could have shownC;D ` l ≤ l′:Case [Sub-Label-1].

[Sub-Label-1]D(l) = D(l′) = 0 C ` l ≤ l′

C;D ` l ≤ l′

then {l ≤ l′} ⊆ C ′, and we hence we can apply [Sub-Label-1] to show C ′;D ` l ≤ l′.

Case [Sub-Label-2].

[Sub-Label-2]D(l) > 0

C;D ` l ≤ lObviously, [Sub-Label-2] can be applied for any C, so we also have C ′;D ` l ≤ l.

�

Lemma 5 (Constraint weakening in subtyping) If C;D ` τ ≤ τ ′ then for any C ′ such thatC ′ ` C it holds that C ′;D ` τ ≤ τ ′

18

Proof: By induction on the proof derivation of C;D ` τ ≤ τ ′.Case [Sub-Int]. By assumption, we have

[Sub-Int]C;D ` l ≤ l′

C;D ` intl ≤ intl′

Then from Lemma 4 we get C ′;D ` l ≤ l′ so applying [Sub-Int] again we have C ′;D ` intl ≤ intl′ .

Case [Sub-Pair]. By assumption, we have

[Sub-Pair]

C;D ` l ≤ l′C;D ` τ1 ≤ τ ′1C;D ` τ2 ≤ τ ′2

C;D ` τ1 ×l τ2 ≤ τ ′1 ×l′τ ′2

From Lemma 4 we have C ′;D ` l ≤ l′ and by induction we have C ′;D ` τ1 ≤ τ ′1 and C ′;D ` τ2 ≤ τ ′2.Then applying [Sub-Pair] again, we can show C ′;D ` τ1 ×l τ2 ≤ τ ′1 ×l

′τ ′2.

Case [Sub-Fun]. Similar to [Sub-Pair].

Case [Sub-∃]. By assumption, we have

[Sub-∃]

C1 ` C2

D′ = D[l 7→ D(l) + 1,∀l ∈ ~α]C;D′ ` τ1 ≤ τ2

C;D ` l1 ≤ l2C;D ` ∃l1~α[C1].τ1 ≤ ∃l2~α[C2].τ2

From Lemma 4 we have C ′;D ` l1 ≤ l2. By the induction hypothesis, we have C ′;D ` τ1 ≤ φ(τ2)so we can apply [Sub-∃] to prove C ′;D ` ∃~α[C1].τ1 ≤ ∃~α[C2].τ2

�

Lemma 6 (Constraint weakening in judgment) If C; Γ ` e : τ and C ′ ` C then C ′; Γ ` e : τ

Proof: By induction on the derivation of C; Γ ` e : τ . First, observe that if C ` l ≤ l′, thenC ′ ` l ≤ l′, by definition of C ′ ` C.Case [Id], [Int], [App], [Lam], [Pair], [Proj], and [Cond]. The first case is trivial. For theothers, apply induction and observe that C ′ ` L ≤ l or C ′ ` l ≤ L, as appropriate.

Case [Sub]. We have

[Sub]C; Γ `cp e : τ C; ∅ ` τ ≤ τ ′

C; Γ `cp e : τ ′

Apply induction, and observe that by Lemma 5, C ′; ∅ ` τ ≤ τ ′.

Case [Let]. We have

[Let]

C ′′; Γ `cp e1 : τ1 C; Γ, f : ∀~α[C ′′].τ1 `cp e2 : τ2

~α ⊆ (fl(τ1) ∪ fl(C ′′)) \ fl(Γ)C; Γ `cp let f = e1 in e2 : τ2

19

By induction, C ′; Γ, f : ∀~α[C ′′].τ1 `cp e2 : τ2. Thus we can apply [Let] to show C ′; Γ `cp let f =e1 in e2 : τ2.

Case [Fix]. We have

[Fix]

C ′′; Γ, f : ∀~α[C ′′].τ1 `cp e : τ1 C ` C ′′[~α 7→ ~l]~α ⊆ (fl(τ1) ∪ fl(C ′′)) \ fl(Γ)

C; Γ `cp fix f.e : τ1[~α 7→ ~l]

Then since C ′ ` C and C ` C ′′[~α 7→ ~l], we have C ′ ` C ′′[~α 7→ ~l]. Thus we can apply [Fix] to yieldC ′; Γ `cp fix f.e : τ1[~α 7→ ~l].

Case [Inst]. We have

[Inst]C ` C ′′[~α 7→ ~l]

C; Γ, f : ∀~α[C ′′].τ `cp f i : τ [~α 7→ ~l]

Then C ′ ` C ′′[~α 7→ ~l], and thus by [Inst], C ′; Γ, f : ∀~α[C ′′].τ `cp f i : τ [~α 7→ ~l].

Case [Pack]. We have

[Pack]

C; Γ `cp e : τ [~α 7→ ~l]C ` C ′′[~α 7→ ~l] C ` L ≤ lC; Γ `cp packL,i e : ∃~α[C ′′].τ ′

By induction, C ′; Γ `cp e : τ [~α 7→ ~l]. Then C ′ ` C ′′[~α 7→ ~l]. As before, we also have C ′ ` L ≤ l.Thus by [Pack], C ′; Γ `cp packL,i e : ∃~α[C ′′].τ ′.

Case [Unpack]. We have

[Unpack]

C; Γ `cp e1 : ∃~α[C ′′].τ1 C ` l ≤ LC ∪ C ′′; Γ, x : τ1 `cp e2 : τ

~α ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(τ) ∪ fl(C))

C; Γ `cp unpackL x = e1 in e2 : τ

By induction, C ′; Γ `cp e1 : ∃~α[C ′′].τ1. Since C ′ ` C, we have C ′ ` l ≤ L and C ′ ∪ C ′′ ` C ∪ C ′′.Thus also by induction, C ′∪C ′′; Γ, x : τ1 `cp e2 : τ . We can always apply alpha renaming to ~α in C ′′

and τ1 so that fl(C ′)∩~α = ∅, and therefore we have ~α ⊆ (fl(τ1) ∪ fl(C ′′))\(fl(Γ) ∪ fl(C ′) ∪ fl(τ)).Thus we can apply [Unpack] to show C ′; Γ `cp unpackL x = e1 in e2 : τ .

�

The following lemma is useful for proving soundness of unpack. Intuitively, we will use thislemma to reason about subtyping step C;D ` ∃l1~α[C1].τ1 ≤ ∃l2~α[C2].τ2. Specifically, it will allowus to derive C; ∅ ` ψ(τ1) ≤ ψ(τ2) for a substitution ψ() on ~α, because [Sub-Label-2] requires thatany labels in ~α have identical occurrences in τ1 and τ2,

Lemma 7 Let D = D′ ◦ [l 7→ 1,∀l ∈ ~α]), where dom(D′) ∩ ~α = ∅. Then if C;D ` τ1 ≤ τ2 anddom(ψ) = ~α, then C;D′ ` ψ(τ1) ≤ ψ(τ2)

20

Proof: Proof by induction on the derivation C;D ` τ1 ≤ τ2.Case [Sub-Label-1]. We have

[Sub-Label-1]D(l) = D(l′) = 0 C ` l ≤ l′

C;D ` l ≤ l′

But then l 6∈ dom(ψ) and l′ 6∈ dom(ψ), so ψ(l) = l and ψ(l′) = l′. But then since C ` l ≤ l′, clearlyC; ∅ ` ψ(l) ≤ ψ(l′).

Case [Sub-Label-2]. We have

[Sub-Label-2]D(l) > 0

C;D ` l ≤ l

This case is trivial, since C; ∅ ` ψ(l) ≤ ψ(l).

Case [Sub-Pair]. We have

[Sub-Pair]

C;D ` l ≤ l′C;D ` τ1 ≤ τ ′1C;D ` τ2 ≤ τ ′2

C;D ` τ1 ×l τ2 ≤ τ ′1 ×l′τ ′2

By induction, C; ∅ ` ψ(l) ≤ ψ(l′). Also by induction, C; ∅ ` ψ(τi) ≤ ψ(τ ′i). Hence by [Sub-Pair],C; ∅ ` ψ(τ1 ×l τ2) ≤ ψ(τ ′1 ×l

′τ ′2).

Case [Sub-Int], [Sub-Fun]. Similar to [Sub-Pair].

Case [Sub-∃]. We have

[Sub-∃]

C1 ` C2

D′′ = D[l 7→ D(l) + 1,∀l ∈ ~β]C;D′′ ` τ1 ≤ τ2

C;D ` l1 ≤ l2C;D ` ∃l1 ~β[C1].τ1 ≤ ∃l2 ~β[C2].τ2

By alpha conversion, we can assume that ~β∩dom(ψ) = ∅, ~β∩fl(rng(ψ)) = ∅, and ~β∩dom(D′) = ∅.Notice that D′′ = (D′[l 7→ D(l) + 1,∀l ∈ ~β]) ◦ [l 7→ 1,∀l ∈ ~α]. (The order doesn’t matter becausethe domains of the substitutions are all different.) Then by induction, C;D′[l 7→ D(l)+1,∀l ∈ ~β] `ψ(τ1) ≤ ψ(τ2). Further, since C1 ` C2, we have ψ(C1) ` ψ(C2). Then since we assumed ψ did notreplace or capture any variables in ~β, by [Sub-∃], we have C;D′ ` ψ(∃l1 ~β[C1].τ1) ≤ ψ(∃l2 ~β[C2].τ2).

�

The next lemmas show that in a polymorphically constrained type, we can safely weaken thebound constraints C into C ′ where C ′ ` C. Because existential types are first-class in our system,changing the bound constraints may also change types τ on the right-hand side of a typing judgment.

Let χ range over quantifiers, either ∀ or ∃. We define polytypes(τ) to be the set {χi ~αi[Ci].τi} ofoccurrences of quantified types in τ . As a shorthand, we write χi for the ith element of this set,

21

and we define χi〈C ′〉 = χi ~αi[C ′ ∪Ci].(τi〈C ′〉), i.e., we union C ′ with any bound constraint systems.We implicitly alpha rename bound type variables as necessary to avoid capturing variables in C ′,i.e., we assume ~αi ∩ C ′ = ∅. Here τ〈C〉 is τ where each χi ∈ polytypes(τ) is replaced by χi〈C〉. Wedefine polytypes(Γ) to be the set of occurrences of quantified types in the range of Γ, and we defineΓ〈C〉 to be Γ with 〈C〉 applied to the range of Γ.

Lemma 8 If C;D ` τ ≤ τ ′, then C;D ` τ〈C ′〉 ≤ τ ′〈C ′〉.

Proof: By induction on the derivation of C ` τ ≤ τ ′. The [Sub-Pair], [Sub-Fun], and [Sub-Int]cases are straightforward.Case [Sub-∃]. We have

[Sub-∃]

C1 ` C2

D′ = D[l 7→ D(l) + 1,∀l ∈ ~α1]C;D′ ` τ1 ≤ τ2

C;D ` l1 ≤ l2C;D1;D2 ` ∃l1~α[C1].τ1 ≤ ∃l2~α[C2].τ2

By induction, we have C;D′ ` τ1〈C ′〉 ≤ τ2〈C ′〉. Further, since C1 ` C2, we have C1 ∪C ′ ` C2 ∪C ′.Putting these together and applying [Sub-∃] yields C;D ` ∃l1~α[C1 ∪ C ′].(τ1〈C ′〉) ≤ ∃l2~α[C2 ∪C ′].(τ2〈C ′〉).

�

Lemma 9 (Constraint weakening in polymorphic types) If C; Γ ` e : τ , then C∪C ′; Γ〈C ′〉 `e : τ〈C ′〉.

Proof: First, observe that by Lemma 6, we may assume C∪C ′; Γ ` e : τ . Then the proof proceedsby induction on the derivation of C ∪ C ′; Γ ` e : τ .Case [Id]. We have

[Id]C ∪ C ′; Γ, x : τ `cp x : τ

Then trivially we have[Id]

C ∪ C ′; Γ〈C ′〉, x : τ〈C ′〉 `cp x : τ〈C ′〉

Case [Int]. Trivial.

Case [Lam]. We have

[Lam]C ∪ C ′; Γ, x : τ1 `cp e : τ2 C ∪ C ′ ` L ≤ l

C ∪ C ′; Γ `cp λLx.e : τ1 →l τ2

22

By induction we have C ∪ C ′; Γ〈C ′〉, x : τ1〈C ′〉 `cp e : τ2〈C ′〉. Then by [Lam], we have C ∪C ′; Γ〈C ′〉 `cp λLx.e : (τ1 →l τ2)〈C ′〉.

Case [App], [Pair], [Proj], and [Cond]. Similar to [Lam].

Case [Sub]. We have

[Sub]

C ∪ C ′; Γ `cp e : τ1

C ∪ C ′; ∅ ` τ1 ≤ τ2

C ∪ C ′; Γ `cp e : τ2

By induction, C∪C ′; Γ〈C ′〉 `cp e : τ1〈C ′〉. Further, by Lemma 8, we have C∪C ′; ∅ ` τ1〈C ′〉 ≤ τ2〈C ′〉.Thus applying [Sub], we have C ∪ C ′; Γ `cp e : τ2〈C ′〉.

Case [Let]. We have

[Let]

Cf ; Γ `cp e1 : τ1 C ∪ C ′; Γ, f : ∀~α[Cf ].τ1 `cp e2 : τ2

~α ⊆ (fl(τ1) ∪ fl(Cf )) \ fl(Γ)C ∪ C ′; Γ `cp let f = e1 in e2 : τ2

By induction, we have Cf ∪C ′; Γ〈C ′〉 `cp e1 : τ1〈C ′〉. Also by induction, we have C ∪C ′; Γ〈C ′〉, f :(∀~α[Cf ].τ1)〈C ′〉 `cp e2 : τ2〈C ′〉 since C ∪ C ′ ∪ C ′ = C ∪ C ′. Since fl(C ′) ∩ ~α = ∅, we have(∀~α[Cf ].τ1)〈C ′〉 = ∀~α[Cf ∪ C ′].(τ1〈C ′〉). Further, fl(Γ〈C ′〉) = fl(Γ) ∪ fl(C ′) and fl(τ1〈C ′〉) =fl(τ1)∪ fl(C ′), hence we have ~α ⊆ (fl(τ1〈C ′〉) ∪ fl(Cf ∪ C ′)) \ fl(Γ)〈C ′〉. Thus we can apply [Let]to yield C ∪ C ′; Γ〈C ′〉 `cp let f = e1 in e2 : τ2〈C ′〉.

Case [Fix]. Similar to [Let].

Case [Inst]. We have

[Inst]C ∪ C ′ ` Cf [~α 7→ ~l]

C ∪ C ′; Γ, f : ∀~α[Cf ].τ `cp f i : τ [~α 7→ ~l]

By our alpha-renaming convention, fl(C ′) ∩ ~α = ∅. Then (Γ, f : ∀~α[Cf ].τ)〈C ′〉 = Γ〈C ′〉, f :∀~α[Cf ∪ C ′].(τ〈C ′〉). Clearly C ∪ C ′ ` Cf [~α 7→ ~l] ∪ C ′, and by our alpha-renaming conventionCf [~α 7→ ~l]∪C ′ = (Cf ∪C ′)[~α 7→ ~l]. Therefore applying [Inst] yields C∪C ′; (Γ, f : ∀~α[Cf ].τ)〈C ′〉 `cpf i : (τ〈C ′〉)[~α 7→ ~l]. Then since by our alpha-renaming convention (τ〈C ′〉)[~α 7→ ~l] = (τ [~α 7→ ~l])〈C ′〉,we have shown the conclusion.

Case [Pack]. We have

[Pack]C ∪ C ′; Γ `cp e : τ [~α 7→ ~l] C ∪ C ′ ` C1[~α 7→ ~l] C ∪ C ′ ` L ≤ l

C ∪ C ′; Γ `cp packL,i e : ∃l~α[C1].τ

By induction, C ∪C ′; Γ〈C ′〉 `cp (τ [~α 7→ ~l])〈C ′〉 since C ∪C ′ ∪C ′ = C ∪C ′. By our alpha-renamingconvention, fl(C ′) ∩ ~α = ∅, so (τ [~α 7→ ~l])〈C ′〉 = (τ〈C ′〉)[~α 7→ ~l]. Clearly C ∪ C ′ ` C1[~α 7→ ~l] ∪ C ′,and also by our alpha-renaming convention C1[~α 7→ ~l]∪C ′ = (C1∪C ′)[~α 7→ ~l]. Thus applying [Pack]we have C ∪ C ′; Γ〈C ′〉 ` packL,i e : ∃l~α[C1 ∪ C ′].(τ〈C ′〉). And by our alpha-renaming convention,

23

∃l~α[C1 ∪ C ′].(τ〈C ′〉) = (∃l~α[C1].τ)〈C ′〉, so we have shown the conclusion.

Case [Unpack]. We have

[Unpack]

C ∪ C ′; Γ `cp e1 : ∃l~α[C1].τ1 C ∪ C ′ ` l ≤ LC ∪ C ′ ∪ C1; Γ, x : τ1 `cp e2 : τ

~α ⊆ (fl(τ1) ∪ fl(C1)) \ (fl(Γ) ∪ fl(τ) ∪ fl(C) ∪ fl(C ′))C ∪ C ′; Γ `cp unpackL x = e1 in e2 : τ

By induction, C∪C ′; Γ〈C ′〉 `cp e1 : (∃l~α[C1].τ1)〈C ′〉. By our alpha-renaming convention, (∃l~α[C1].τ1)〈C ′〉 =∃l~α[C1 ∪ C ′].(τ1〈C ′〉). Also by induction, C ∪ C ′ ∪ C1; Γ〈C ′〉, x : τ1〈C ′〉 `cp e2 : τ〈C ′〉. Finally,~α ⊆ (fl(τ1〈C ′〉) ∪ fl(C1 ∪ C ′)) \ (fl(Γ〈C ′〉) ∪ fl(τ〈C ′〉) ∪ fl(C) ∪ fl(C ′)) since fl(Γ〈C ′〉) = fl(Γ)∪fl(C ′), fl(τ1〈C ′〉) = fl(τ1)∪ fl(C ′), fl(τ〈C ′〉) = fl(τ)∪ fl(C ′), and we assume by alpha-renamingthat fl(C ′) ∩ ~α = ∅. Thus applying [Unpack] yields C ∪ C ′; Γ `cp unpackL x = e1 in e2 : τ〈C ′〉.

�

Next we prove the substitution lemma for monomorphic types. Because in rule [Let], we fixedthe set of constraints in the quantified type to be exactly the constraints for e1 and e2, respectively,we need a slightly nonstandard lemma: When we replace a variable with an expression, we mightneed to add the constraints for that expression to quantified types in the environment and in theresult type. Hence the definition of 〈C ′〉 above. While we could have used a [Let] rule that issimpler to reason about for soundness, or changed the [Unpack] rule to match [Let], this particularformulation turns out to be very helpful in proving correspondence between the CFL and Copy

in Appendix B.

Lemma 10 (Substitution lemma) If C; Γ, x : τ ′ `cp e : τ , C ` C ′, and C ′; Γ `cp e′ : τ ′, thenC; Γ〈C ′〉 `cp e[x 7→ e′] : τ〈C ′〉.

Proof: The proof proceeds by induction on the derivation of C; Γ, x : τ ′ `cp e : τ .Case [Id]. There are two cases. First, if e = x, we have

C; Γ, x : τ ′ `cp x : τ ′

Then τ = τ ′, and since x[x 7→ e′] = e′, by our assumption C ′; Γ `cp e′ : τ ′ we have C; Γ〈C ′〉 `cp e′ :τ ′〈C ′〉 by Lemmas 6 and 9.

Otherwise, we have

C; Γ, x : τ `cp y : τ

where y 6= x. Hence y ∈ dom(Γ), and since y[x 7→ e′] = y, by Lemma 9 we have C; Γ〈C ′〉, x :τ〈C ′〉 `cp y : τ〈C ′〉.

Case [Int]. Trivial.

Case [Lam]. We have

[Lam]C; Γ, x : τ ′, y : τ1 `cp e2 : τ2 C ` L ≤ l

C; Γ, x : τ ′ `cp λLy.e2 : τ1 →l τ2

24

Using alpha renaming we can assume y 6= x, and hence C; Γ, y : τ1, x : τ ′ `cp e2 : τ2. Then byinduction we have C; Γ〈C ′〉, y : τ1〈C ′〉 `cp e2[x 7→ e′] : τ2〈C ′〉. Thus we can apply [Lam] to yieldC; Γ〈C ′〉 `cp (λLy.e2)[x 7→ e′] : (τ1 →l τ2)〈C ′〉.

Case [App]. We have

[App]

C; Γ, x : τ ′ `cp e1 : τ2 →l τC; Γ, x : τ ′ `cp e2 : τ2 C ` l ≤ L

C; Γ, x : τ ′ `cp e1@Le2 : τ

Then by induction, we have C; Γ〈C ′〉 `cp e1[x 7→ e′] : (τ2 →l τ)〈C ′〉 and C; Γ〈C ′〉 `cp e2[x 7→ e′] :τ2〈C ′〉. Therefore we can apply [App] to yield C; Γ〈C ′〉 `cp (e1@Le2)[x 7→ e′] : τ〈C ′〉.

Case [Pair], [Proj], [Cond]. Similar to [App].

Case [Sub]. We have

[Sub]

C; Γ, x : τ ′ `cp e : τ1

C; ∅ ` τ1 ≤ τ2

C; Γ, x : τ ′ `cp e : τ2

By induction, we have C; Γ〈C ′〉 `cp e[x 7→ e′] : τ1〈C ′〉. By Lemma 5, we have C; ∅ ` τ1〈C ′〉 ≤ τ2〈C ′〉.Thus we can apply [Sub] to yield C; Γ〈C ′〉 `cp e[x 7→ e′] : τ2〈C ′〉.

Case [Let]. We have

[Let]

C ′′; Γ, x : τ ′ `cp e1 : τ1

C; Γ, x : τ ′, f : ∀~α[C ′′].τ1 `cp e2 : τ2

~α ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(τ ′))C; Γ, x : τ ′ `cp let f = e1 in e2 : τ2

By Lemma 6 and induction, we have C ′ ∪ C ′′; Γ〈C ′〉 `cp e1[x 7→ e′] : τ1〈C ′〉. Then since x 6= f(they are in different syntactic categories), by induction we also have C; Γ〈C ′〉, f : (∀~α[C ′′].τ1)〈C ′〉 `e2[x 7→ e′] : τ2〈C ′〉. By our alpha-renaming convention, fl(C ′) ∩ ~α = ∅, so (∀~α[C ′′].τ1)〈C ′〉 =∀~α[C ′ ∪ C ′′].τ1〈C ′〉. Finally,

~α ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(τ ′))⊆ (fl(τ1) ∪ fl(C ′′)) \ fl(Γ)⊆ (fl(τ1〈C ′〉) ∪ fl(C ′′) ∪ fl(C ′)) \ fl(Γ〈C ′〉)

where the last step holds since we assume fl(C ′) ∩ ~α = ∅. Hence we can apply [Let] to yieldC; Γ〈C ′〉 `cp (let f = e1 in e2)[x 7→ e′] : τ2〈C ′〉.

Case [Fix]. Similar to [Let] and [Inst].

Case [Inst]. By Lemma 9 we have C; Γ〈C ′〉, x : τ ′〈C ′〉, f : (∀~α[C ′′ ∪ C ′].(τ))〈C ′〉 `cp f i : τ〈C ′〉.Then since fi[x 7→ e′] = fi (note we assume different syntactic forms for functions and localvariables), we trivially have C; Γ〈C ′〉, f : (∀~α[C ′′ ∪ C ′].(τ))〈C ′〉 `cp f i[x 7→ e′] : τ〈C ′〉

Case [Pack]. We have

[Pack]C; Γ, x : τ ′ `cp e : τ [~α 7→ ~l] C ` C ′′[~α 7→ ~l] C ` L ≤ l

C; Γ, x : τ ′ `cp packL,i e : ∃l~α[C ′′].τ

25

By induction, C; Γ〈C ′〉 `cp e[x 7→ e′] : (τ [~α 7→ ~l])〈C ′〉. Since we assume by alpha renaming thatfl(C ′) ∩ ~α = ∅, we have (τ [~α 7→ ~l])〈C ′〉 = (τ〈C ′〉)[~α 7→ ~l]. Further, since C ` C ′, we haveC ` C ′ ∪ C ′′[~α 7→ ~l], and again since fl(C ′) ∩ ~α = ∅ we have C ` (C ′ ∪ C ′′)[~α 7→ ~l]. Then applying[Pack] yields C; Γ〈C ′〉 `cp (packL,i e)[x 7→ e′] : (∃l~α[C ′′].τ)〈C ′〉.

Case [Unpack]. We have

[Unpack]

C; Γ, x : τ ′ `cp e1 : ∃l~α[C ′′].τ1 C ` l ≤ LC ∪ C ′′; Γ, x : τ ′, y : τ1 `cp e2 : τ

~α ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(τ ′) ∪ fl(τ) ∪ fl(C))

C; Γ, x : τ ′ `cp unpackL y = e1 in e2 : τ

Assume by alpha renaming that x 6= y. Then by induction, C; Γ〈C ′〉 `cp e1[x 7→ e′] : (∃l~α[C ′′].τ1)〈C ′〉.By our alpha renaming convention, we assume fl(C ′) ∩ ~α = ∅, hence (∃l~α[C ′′].τ1)〈C ′〉 = ∃l~α[C ′ ∪C ′′].(τ1〈C ′〉). Since C ` C ′, we have C ∪ C ′ ∪ C ′′ = C ∪ C ′′. Thus by Lemma 6 and induction wehave C ∪ C ′ ∪ C ′′; Γ〈C ′〉, y : τ1〈C ′〉 `cp e2[x 7→ e′] : τ〈C ′〉. Finally,

~α ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(τ ′) ∪ fl(τ) ∪ fl(C))⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(τ) ∪ fl(C))⊆ (fl(τ1〈C ′〉) ∪ fl(C ′′) ∪ fl(C ′)) \ (fl(Γ〈C ′〉) ∪ fl(τ〈C ′〉) ∪ fl(C))

again because we assume fl(C ′) ∩ ~α = ∅. Hence we can apply [Unpack] to yield C; Γ〈C ′〉 `cp(unpackL y = e1 in e2)[x 7→ e′] : τ〈C ′〉.

�

Lemma 11 (Polymorphic substitution lemma) If C; Γ, f : ∀~α[C ′].τ ′ `cp e : τ and C ′; Γ `cpe′ : τ ′ where ~α ∩ fl(Γ) = ∅, then C; Γ `cp e[f 7→ e′] : τ .

Proof: By induction on the derivation of C; Γ, f : ∀~α[C ′].τ ′ `cp e : τ .Case [Id]. Trivial, since x[f 7→ e′] = x (note we assume different syntactic forms for functionsand local variables).

Case [Int]. Trivial.

Case [Lam]. We have

[Lam]C; Γ, f : ∀~α[C ′].τ ′, x : τ1 `cp e : τ2 C ` L ≤ l

C; Γ, f : ∀~α[C ′].τ ′ `cp λLx.e : τ1 →l τ2

By alpha conversion, we can assume ~α ∩ fl(τ1) = ∅ and C ′; Γ, x : τ1 `cp e′ : τ ′. Then sincex 6= f , by induction we have C; Γ, x : τ1 `cp e[f 7→ e′] : τ2. But then applying [Lam] we haveC; Γ `cp (λLx.e)[f 7→ e′] : τ1 →l τ2.

Case [App]. We have

[App]

C; Γ, f : ∀~α[C ′].τ ′ `cp e1 : τ2 →l τ1

C; Γ, f : ∀~α[C ′].τ ′ `cp e2 : τ2 C ` l ≤ LC; Γ, f : ∀~α[C ′].τ ′ `cp e1@Le2 : τ1

26

By induction, we have C; Γ `cp e1[f 7→ e′] : τ2 →l τ1 and C; Γ `cp e2[f 7→ e′] : τ2. Then applying[App] yields C; Γ `cp (e1@Le2)[f 7→ e′] : τ1.

Case [Pair], [Proj], [Cond], [Sub]. Analogous to [App].

Case [Let]. We have

[Let]

C ′′; Γ, f : ∀~α[C ′].τ ′ `cp e1 : τ1

C; Γ, f : ∀~α[C ′].τ ′, g : ∀~β[C ′′].τ1 `cp e2 : τ2

~β ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(∀~α[C ′].τ ′))C; Γ, f : ∀~α[C ′].τ ′ `cp let g = e1 in e2 : τ2

By induction, C ′′; Γ `cp e1[f 7→ e′] : τ1. Assuming by alpha renaming that f 6= g, by induction wealso have C; Γ, g : ∀~β[C ′′].τ1 `cp e2[f 7→ e′] : τ2. Finally,

~β ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(∀~α[C ′].τ ′))⊆ (fl(τ1) ∪ fl(C ′′)) \ fl(Γ)

so we can apply [Let] to show C; Γ `cp (let g = e1 in e2)[f 7→ e′] : τ2.

Case [Fix]. Similar to [Let] and [Inst].

Case [Inst]. There are two cases. If e 6= f , then the conclusion holds trivially, since e[f 7→ e′] = e.Otherwise, we have

[Inst]C ` C ′[~α 7→ ~l]

C; Γ, f : ∀~α[C ′].τ `cp f i : τ [~α 7→ ~l]

By assumption, C ′; Γ `cp e′ : τ ′. Then C ′[~α 7→ ~l]; Γ[~α 7→ ~l] `cp e′ : τ [~α 7→ ~l]. But since byassumption ~α ∩ fl(Γ) = ∅, we then have C ′[~α 7→ ~l]; Γ `cp e′ : τ [~α 7→ ~l]. But C ` C ′[~α 7→ ~l], and soby Lemma 6, C; Γ `cp e′ : τ [~α 7→ ~l], and so we have shown the conclusion, since f i[f 7→ e′] = e′.

Case [Pack]. We have

[Pack]C; Γ, f : ∀~α[C ′].τ ′ `cp e : τ [~β 7→ ~l] C ` C ′′[~β 7→ ~l] C ` L ≤ l

C; Γ, f : ∀~α[C ′].τ ′ `cp packL,i e : ∃l~β[C ′′].τ

By induction, we have C; Γ `cp e[f 7→ e′] : τ [~β 7→ ~l]. But then we can apply [Pack] to showC; Γ `cp (packL,i e)[f 7→ e′] : ∃l~β[C ′′].τ .

Case [Unpack]. We have

[Unpack]

C; Γ, f : ∀~α[C ′].τ ′ `cp e1 : ∃l~β[C ′′].τ1 C ` l ≤ LC ∪ C ′′; Γ, f : ∀~α[C ′].τ ′, x : τ1 `cp e2 : τ

~β ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(∀~α[C ′].τ ′) ∪ fl(τ) ∪ fl(C))

C; Γ, f : ∀~α[C ′].τ ′ `cp unpackL x = e1 in e2 : τ

By induction, we have C; Γ `cp e1[f 7→ e′] : ∃l~β[C ′′].τ1. Also by induction, assuming that f 6= x(since functions are in a different syntactic category), we have C ∪ C ′′; Γ, x : τ1 `cp e2[f 7→ e′] : τ .Finally,

~β ⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(∀~α[C ′].τ ′) ∪ fl(τ) ∪ fl(C))⊆ (fl(τ1) ∪ fl(C ′′)) \ (fl(Γ) ∪ fl(τ) ∪ fl(C))

27

Thus we can apply [Unpack] to show C; Γ ` (unpackL x = e1 in e2)[f 7→ e′] : τ .

�

Finally, we can state and prove our soundness theorem. We assume that the program is well-typed with respect to the standard types. Hence, every program is either in normal form or cantake a step. We wish to prove that, for any destructor that consumes a value, the actual constructorlabel that is consumed appears in the set of labels computed by the analysis. If the program isin normal form this is trivial, because there are no more evaulation steps. Hence we prove thisstatement below for the case when the program takes a single step.

Definition 12 Suppose e −→ e′ and in the (single step) reduction, the destructor (if0, @, .j,unpack) labeled L′ consumes the constructor (n, λ, (·, ·), pack) labeled L. Then we write C ` e −→e′ if C ` L ≤ L′. We also write C ` e −→ e′ if no value is consumed during reduction (e.g., forlet or fix).

Notice that if C ` e −→ e′ and E[e] −→ E[e′], then C ` E[e] −→ E[e′], since reducing insideof a context does not change which destructor consumed which constructor. We will use this factimplicitly in the proof below.

Lemma 13 (Preservation) If C; Γ `cp e : τ and e −→ e′, then C; Γ〈C〉 `cp e′ : τ〈C〉 andC ` e −→ e′.

Proof: The proof is by induction on the derivation of C; Γ `cp e : τ .Case [Id], [Int]. These cases cannot happen, because we assume e −→ e′.

Case [Lam]. In this case, the tern is λLx.e, and the only possible reduction is λLx.e −→ λLx.e′.By assumption, we have

[Lam]C; Γ, x : τ `cp e : τ ′ C ` L ≤ l

C; Γ `cp λLx.e : τ →l τ ′

By induction, C; Γ〈C〉, x : τ〈C〉 `cp e′ : τ ′〈C〉 and C ` e −→ e′. Then applying [Lam] yieldsC; Γ〈C〉 `cp λLx.e′ : (τ →l τ ′)〈C〉, and we also have C ` λLx.e −→ λLx.e′.

Case [App]. In this case, the term is e1@Le2, and there are three possible reductions. In thefirst case, when e1@Le2 −→ e′1@Le2, we have

[App]

C; Γ `cp e1 : τ2 →l τ1

C; Γ `cp e2 : τ2 C ` l ≤ LC; Γ `cp e1@Le2 : τ1

Then by induction, C; Γ〈C〉 `cp e′1 : (τ2 →l τ1)〈C〉. By Lemma 9, C; Γ〈C〉 `cp e2 : τ2〈C〉. Thuswe can apply [App] to yield C; Γ〈C〉 `cp e′1@Le2 : τ1〈C〉. Also by induction, C ` e1 −→ e′1, soC ` e1@Le2 −→ e′1@Le2. The second case, when e1@Le2 −→ e1@Le′2, is similar.

28

In the last case, we have (λLx.e1)@L′e2 −→ e1[x 7→ e2]. In this case, we have

[App]

[Sub]

[Lam]C; Γ, x : τ1 ` e1 : τ2 C ` L ≤ l′

C; Γ `cp λLx.e1 : τ1 →l′ τ2 C; ∅ ` (τ1 →l′ τ2) ≤ (τ ′ →l τ)

C; Γ `cp λLx.e1 : τ ′ →l τC; Γ `cp e2 : τ ′ C ` l ≤ L′

C; Γ ` (λLx.e1)@L′e2 : τ

Then C; ∅ ` τ ′ ≤ τ1, hence C; Γ `cp e2 : τ1. Then by Lemma 10, C; Γ〈C〉 `cp e1[x 7→ e2] : τ2〈C〉.By Lemma 8, C; ∅ ` τ2〈C〉 ≤ τ〈C〉. Thus by [Sub] we have C; Γ〈C〉 `cp e1[x 7→ e2] : τ〈C〉.

Finally, in this reduction step L′ consumes L. But C ` L ≤ l′, C ` l′ ≤ l, and C ` l ≤ L′,hence C ` L ≤ L′. Hence we have shown the conclusion.

Case [Pair]. In this case, we have either (e1, e2)L −→ (e′1, e2)L or (e1, e2)L −→ (e1, e′2)L. In

either case the proof proceeds by induction, similar to the first case of [App].

Case [Proj]. In this case, the term is e.Lj. There are two possible reductions. If the reductionis e.Lj −→ e′.Lj, then we apply induction as in the first case of [App]. Otherwise, the reduction is(e1, e2)L

′.Lj −→ ej . In this case, our typing proof is of the form

[Proj]

[Sub]

[Pair]C; Γ ` e1 : τ ′1 C; Γ ` e2 : τ ′2 C ` L′ ≤ l′

C; Γ `cp (e1, e2)L′

: τ ′1 ×l′τ ′2

C; ∅ ` τ ′1 ×l′τ ′2 ≤ τ1 ×l τ2

C; Γ `cp (e1, e2)L′

: τ1 ×l τ2

C ` l ≤ L j = 1, 2

C; Γ `cp (e1, e2)L′.Lj : τj

Then C; Γ ` ej : τ ′j , and since C; ∅ ` τ ′j ≤ τj , we have C; Γ ` ej : τj . Then by Lemma 9, we haveC; Γ〈C〉 ` ej : τj〈C〉. Also, C ` L′ ≤ l′, C ` l′ ≤ l, and C ` l ≤ L, hence C ` L′ ≤ L, and we haveshown the conclusion.

Case [Cond]. In this case, the term is if0L e0 then e1 else e2, and there are four possiblereductions. If the reduction occurs inside of e0, e1, or e2, then we proceed by induction as usual.Otherwise, the reduction is either if0L nL

′then e1 else e2 −→ e1 or if0L nL

′then e1 else e2 −→

e2, depending on whether n is 0. In either case, our typing judgment looks like

[Cond]

[Sub]

[Int]C ` L′ ≤ l′

C; Γ `cp nL′

: intl′

C; ∅ ` intl′ ≤ intl

C; Γ `cp nL′

: intl

C ` l ≤ L C; Γ `cp e1 : τ C; Γ `cp e2 : τ

C; Γ `cp if0L nL′then e1 else e2 : τ

Then clearly C; Γ `cp ei : τ , and by Lemma 9 we have C; Γ〈C〉 `cp ei : τ〈C〉. And since C ` L′ ≤ l′,C ` l′ ≤ l, and C ` l ≤ L, we have C ` L′ ≤ L.

Case [Sub]. In this case, the reduction is e −→ e′, and we have

[Sub]C; Γ `cp e : τ1 C; ∅ ` τ1 ≤ τ2

C; Γ `cp e : τ2

29

But by induction, C; Γ〈C〉 `cp e′ : τ1〈C〉. By Lemma 8, C; ∅ ` τ1〈C〉 ≤ τ2〈C〉. Hence we can apply[Sub] to show C; Γ〈C〉 `cp e′ : τ2〈C〉.

Case [Let]. In this case, the term is let f = e1 in e2. If the reduction occurs inside of e1 or e2,then we proceed by induction as usual. Otherwise, the typing judgment is of the form

[Let]

C ′; Γ `cp e1 : τ1 C; Γ, f : ∀~α[C ′].τ1 `cp e2 : τ2

~α ⊆ (fl(τ1) ∪ fl(C ′)) \ fl(Γ)C; Γ `cp let f = e1 in e2 : τ2

and the reduction is let f = e1 in e2 −→ e2[f 7→ e1]. But then by Lemma 11, C; Γ ` e2[f 7→ e1] :τ2. Then by Lemma 9, C; Γ〈C〉 ` e2[f 7→ e1] : τ2〈C〉. Since no labeled values are consumed by thisreduction, C ` let f = e1 in e2 −→ e2[f 7→ e1] trivially, and we are done.

Case [Fix]. Analogous to [Let].

Case [Inst]. This case cannot happen, because we assume e −→ e′.

Case [Pack]. This case proceeds by induction as usual. In this case the reduction must bepackL,i e −→ packL,i e′ , and so we proceed by the usual induction. The typing proof is

[Pack]C; Γ `cp e : τ [~α 7→ ~l] C ` C ′[~α 7→ ~l] C ` L ≤ l

C; Γ `cp packL,i e : ∃l~α[C ′].τ

Then by induction, C; Γ〈C〉 `cp e′ : (τ [~α 7→ ~l])〈C〉 and C ` e −→ e′. By our alpha renamingconvention, (τ [~α 7→ ~l])〈C〉 = (τ〈C〉)[~α 7→ ~l]. Further, C ` C ∪ C ′[~α 7→ ~l], and again by our alpharenaming convention C ` (C ∪ C ′)[~α 7→ ~l]. Hence by [Pack] we have C; Γ〈C〉 `cp packL,i e :(∃l~α[C ′].τ)〈C〉, and we also have C ` packL,i e −→ packL,i e′ .

Case [Unpack]. In this case the term is unpackL x = e1 in e2, and there are three possiblereductions. If the reudction occurs inside e1 or e2 then apply induction as usual. Otherwise, thereduction is unpackL x = (packL

′,i e) in e2 −→ e2[x 7→ e], and the typing proof is

[Unpack]

[Sub]

[Pack]

C; Γ `cp e : τ1[~α 7→ ~l]C ` C1[~α 7→ ~l] C ` L′ ≤ l1C; Γ `cp packL

′,i e : ∃l1~α[C1].τ1

C; ∅ `cp ∃l1~α[C1].τ1 ≤ ∃l2~α[C2].τ2

C; Γ `cp packL′,i e : ∃l2~α[C2].τ2

C ` l2 ≤ L C ∪ C2; Γ, x : τ2 `cp e2 : τ~α ⊆ (fl(τ2) ∪ fl(C2)) \ (fl(Γ) ∪ fl(τ) ∪ fl(C))

C; Γ `cp unpackL x = (packL′,i e) in e2 : τ

Further, the subtyping derivation is

[Sub-∃]

C1 ` C2

D′ = [l 7→ 1,∀l ∈ ~α] C;D′ ` τ1 ≤ τ2 C;D ` l1 ≤ l2C; ∅ ` ∃l1~α[C1].τ1 ≤ ∃l2~α[C2].τ2

We show soundness by applying the Substitution Lemma. First, we have C∪C2; Γ, x : τ2 `cp e2 :τ . Let ψ be the substitution [~α 7→ ~l]. Applying this to our judgment yields ψ(C)∪ψ(C2);ψ(Γ), x :

30

ψ(τ2) `cp e2 : ψ(τ). But since ~α ∩ (fl(Γ) ∪ fl(τ) ∪ fl(C)) = ∅, we have C ∪ ψ(C2); Γ, x : ψ(τ2) `cpe2 : τ .

Further, since C1 ` C2, we have ψ(C1) ` ψ(C2). Then since C ` ψ(C1), we have C ` ψ(C2).Then by Lemma 6, we have the following conclusion:

C; Γ, x : ψ(τ2) `cp e2 : τ

By assumption, we have C; Γ `cp e : ψ(τ1). Also by assumption, we have C;D′ ` τ1 ≤ τ2. Thenby Lemma 7, we have C; ∅ ` ψ(τ1) ≤ ψ(τ2). Therefore by [Sub], we have the following conclusion:

C; Γ `cp e : ψ(τ2)

Now we can apply Lemma 10 to yield C; Γ〈C〉 `cp e2[x 7→ e] : τ〈C〉.Finally, observe C ` L′ ≤ l1, C ` l1 ≤ l2, and C ` l2 ≤ L. Hence C ` L′ ≤ L, and therefore

C ` unpackL x = (packL′,i e) in e2 −→ e2[x 7→ e], so we are done.

�

Theorem 14 (Soundness) If C; Γ `cp e : τ and e −→∗ e′, then C ` e −→∗ e′.

Proof: By induction on the length of the reduction e −→∗ e′, using Lemma 13.

�

B Reduction from CFL to Copy

In this section, we prove that typing proofs in CFL reduce to equivalent proofs in Copy. Asmentioned earlier, CFL is actually more restrictive than Copy in the programs it is able to check.

We proceed following the basic proof technique in [9], but due to higher-order polymorphictypes, our proof is somewhat more complicated.

Definition 15 (Polarity of label in type) Let τ be a CFL type. We say that some label l ∈fl(τ) has positive polarity (+) in τ if one of the following holds:

1. τ = intl

2. τ = τ1 →l′ τ2 and l = l′ or l has + polarity in τ2 or l has − polarity in τ1.

3. τ = τ1 ×l′τ2 and l = l′ or l has + polarity in τ1 or in τ2.

4. τ = ∃l′~α.τ ′ and either l = l′, or l /∈ ~α and l has + polarity in τ ′

Similarly, we say that some label l ∈ fl(τ) has negative polarity − in τ if one of the following holds:

1. τ = τ1 →l′ τ2 and l has − polarity in τ2 or l has + polarity in τ1.

2. τ = τ1 ×l′τ2 and l has − polarity in τ1 or in τ2.

3. τ = τ = ∃l′~α.τ ′ and l /∈ ~α and l has − polarity in τ ′.

31

Definition 16 (Polarized constraint sets) Let C be a set of flow constraints, let τ be a CFL

type and let F ⊆ fl(τ). We say that C is p-polarized with respect to τ and F , written C BpF τ , iffthe following conditions hold for all l ∈ F :

1. whenever C ` l ≤ l′ with l 6= l′, then l has polarity p in τ .

2. whenever C ` l′ ≤ l with l 6= l′, then l has polarity p in τ .

Lemma 17 If l has polarity p in τ , I;D ` τ �ip′ τ ′ : φ, and l 6∈ D, then I ` l �ip·p′ φ(l), wherep · p = + and p · p = −.

Proof: Induction over the instantiation I;D ` τ �ip′ τ ′ : φ:Case [Inst-Int]. We have

[Inst-Int]I;D ` l �ip′ l′ : φ

I;D ` intl �ip′ intl′

: φ

Since l 6∈ D, we conclude that I;D ` l �ip l′ : φ can only have been proved by [Inst-Index-1]. Thus

[Index-Index-1]I ` l �ip′ l′ {(l, l′)} ∈ φ

I; ∅; ∅ ` l �ip′ l′ : φ

From this we get l′ = φ(l) and I ` l �ip′ φ(l). But l has + polarity in intl. , and by definition,p′ ·+ = p′, and thus we have I ` l �ip′·+ φ(l).

Case [Inst-Pair]. We have

[Inst-Pair]

I;D ` l1 �ip′ l2 : φI;D ` τ1 �ip′ τ ′1 : φ I;D ` τ2 �ip′ τ ′2 : φ

I;D ` τ1 ×l1 τ2 �ip′ τ ′1 ×l2 τ ′2 : φ

There are two cases:

• l = l1. Then as in the previous case, since l 6∈ D we get l2 = φ(l1) and I ` l �ip′ φ(l) from[Inst-Index-1]. Then, since l has polarity + in τ1 ×l τ2, we have I ` l �ip′·+ φ(l).

• l ∈ fl(τi) (i = 1, 2). Then by Definition 15, l has polarity p in τi. Then by induction we haveI ` l �ip·p′ φ(l)

Case [Inst-Fun]. We have

[Inst-Fun]

I;D ` l1 �ip′ l2 : φI;D ` τ1 �ip′ τ

′1 : φ I;D ` τ2 �ip′ τ ′2 : φ

I;D ` τ1 →l1 τ2 �ip′ τ ′1 →l2 τ ′2 : φ

There are three cases:

• l = l1. Then since l 6∈ D, as before by [Inst-Index-1] we have l2 = φ(l1) and I ` l �ip′ φ(l).Since l has polarity + in τ1 →l τ2, we then have I ` l �ip′·+ φ(l).

32

• l ∈ fl(τ1). By Definition 15, l has polarity p in τ1. Then by induction we have I ` l �ip·p′ φ(l)

But since p · p′ = p · p′, this is equivalent to I ` l �ip·p′ φ(l).

• l ∈ fl(τ2). By Definition 15, l has polarity p in τ2. As before, by induction we then haveI ` l �ip·p′ φ(l).

Case [Inst-∃]. We have

[Inst-∃]

D′ = D ⊕ ~α I;D′ ` τ1 �ip′ τ2 : φI;D ` l1 �ip′ l2 : φ

I;D ` ∃l1~α.τ1 �ip′ ∃l2~α.τ2 : φ

There are two cases:

• Case l = l1. Then since l 6∈ D, by [Inst-Index-1] we have l2 = φ(l1) and I ` l �ip′ φ(l). Sincel has polarity + in ∃l1~α.τ1, we then have I ` l �ip′·+ φ(l).

• Case l ∈ fl(τ1). We may assume l /∈ ~α, since otherwise l 6∈ fl(∃l1~α.τ1). Therefore l 6∈ D′.Further, by Definition 15 the polarity of l in τ1 is p. Then by induction we have I ` l �ip·p′ φ(l).

�

Definition 18 (Instantiation context) Every application of an [Inst]

[Inst]

I; ∅ ` τ �i+ τ ′ : φdom(φ) = ~α I ` ~l �i+ ~l I ` ~l �i− ~l

I;C; Γ, f : (∀~α.τ,~l) `CFL f i : τ ′

defines a positive instantiation context 〈C, I, ~α,~l, τ, φ,+, i〉.Every application of [Pack]

[Pack]

I;C; Γ `CFL e : τ ′ I; ∅ ` τ �i− τ ′ : φdom(φ) = ~α C ` L ≤ lI;C; Γ `CFL packL,i e : ∃l~α.τ

defines a negative instantiation context 〈C, I, ~α, τ, φ,−, i〉Since there is a unique i for every [Inst] or [Pack] rule, we define InstCtx(i,D) to be the

instantiation context defined at the rule identified by i in the CFL derivation D.

Definition 19 (Closure) Let C and I be CFL constraints. The we define the closure of theconstraints as CI = {l1 ≤ l2 | I;C ` l1 m l2}.

Definition 20 A set of instantiation constraints I is normal if whenever I ` l1 �ip l2 and I `l3 �jp′ l4 with l1 6= l2 and l3 6= l4, then l2 6= l3.

Definition 21 A positive instantiation context 〈C, I, ~α,~l, τ, φ,+, i〉 is normal if

33

[LubL]C ` l1 ≤ l · · · C ` ln ≤ l

C ` (⊔ni=1 li) ≤ l

[LubR]j ∈ {1, . . . , n}

C ` lj ≤ (⊔ni=1 li)

Figure 15: Extended Subtype Relation

1. I; ∅ ` τ �ip τ ′ : φ

2. ~α ∩~l = ∅

3. C B+~α τ

4. I ` ~l �i+ ~l and

5. I is normal

Notice that by definition of C Bp~α τ we also have ~α ⊆ fl(τ). We will define normal negativeinstantiation contexts after proving some important lemmas.

In order to show how derivations in CFL relate to derivations in Copy, we will need to relatetypes (∀~α.τ,~l) with types ∀~α[C].τ , and similarly for existential types. However, notice that thesetypes may be quantified over different variables—in the Copy type, we may quantify over variablesappearing in τ and C, whereas in the CFL type we only explicitly quantify over variables appearingin τ . To make these match, we need to observe that if a variable appears in C and not in τ or ~l,then it is an intermediate variable—the only thing that we really need to capture is how it inducesconstraints among variables that appear in τ . Hence we add to our system formal joins (

⊔ni=1 li) of

label variables. In the course of the proof, we will replace all intermediate variables in with joinsamong the variables in τ , the variables in ~l, and constants. Figure 15 gives additional rules we usewhen checking C ` l1 ≤ l2 in addition to containment {l1 ≤ l2} ∈ C. For the remainder of thissection, we write C ` C ′ if for all {l1 ≤ l2} ∈ C ′ we have C ` l1 ≤ l2.

Formally, we define ΦS(l) = {l′ ∈ S ∪ L | CI ` l′ ≤ l}. For a set of labels S, we then define asubstitution

ψS(l) ={l l ∈ S ∪ L⊔

ΦS(l) otherwise

Finally, for a set of labels S, we define CIS = ψS(CI), i.e., we replace labels in CI that are not inS by the least-upper bound of labels in S that flow to it.

Lemma 22 If S ⊆ S′, then CIS′ ` CIS.

Proof: Pick some l ∈ S. Then in CIS , there are two cases. Either l is mapped to itself, if l ∈ S,or l is mapped to

⊔ΦS(l). Now suppose CI ` l1 ≤ l2. If l1 ∈ S and l2 ∈ S then CIS ` l1 ≤ l2 and

CIS′ ` l1 ≤ l2 by the above reasoning. If l1 /∈ S and l2 6∈ S, then we have CIS `⊔

ΦS(l1) ≤⊔

ΦS(l2).Then by [LubL] and [LubR], there exists an l′2 ∈ ΦS(l2) such that for all l′1 ∈ ΦS(l1), we haveCIS ` l′1 ≤ l′2, and notice that l′1, l

′2 ∈ S ⊆ S′. Thus we have CIS′ ` l′1 ≤ l′2. But since this holds for

all l′1 and some l′2, by [LubL] and [LubR] we have CIS′ `⊔

ΦS(l1) ≤⊔

ΦS(l2). The reasoning forthe other possibilities for l1 and l2 is similar.

34

�

Lemma 23 If S ⊆ S′, then ψS(CIS′) = CIS.

Lemma 24 If 〈C, I, ~α,~l, τ, φ,+, i〉 is a normal positive instantiation context, then CI Bp~α τ .

Proof: We will show one case; the other polarity is similar. Suppose CI ` l ≤ l′ with l 6= l′ andl ∈ ~α. Then we have I;C ` l m l′. We need to show that l has polarity p in τ . The proof is byinduction on the derivation of I;C ` l m l′.Case [Level]. We have C ` l ≤ l′. But then since the instantiation context is normal, C Bp~α τ ,and thus l has polarity p in τ .

Case [Trans]. We have I;C ` l m l′′ and I;C ` l′′ m l′. By induction, I;C ` l m l′′ impliesthat l has polarity p in τ .

Case [Constant]. This case cannot occur, because we assume l ∈ ~α.

Case [Match]. We have I ` l1 �i− l, I;C ` l1 m l2, and I ` l2 �i+ l′. Then suppose for acontradiction that l1 6= l. Since l ∈ ~α and ~α ∩ ~l = ∅, we have I ` l �ip′ φ(l) with φ(l) 6= l. Thensince the instantiation context is normal, we have l 6= l, a contradiction. Thus l1 = l. But then wehave I;C ` l m l2, and so by induction we have that l has polarity p in τ .

�

Intuitively, the following lemma shows that subsets of CI are closed with respect to substitutionsφ that correspond to instantiation constraints. In order to show this, we extend a substitution φto a substitution φ, which is the same as φ except that intermediate variables are replaced byjoins. We will use this lemma in proving correspondence between [Inst] and [Pack] rules of the twosystems. Below we write L for the set of constant labels.

Given a normal positive instantiation context 〈C, I, ~α,~l, τ, φ,+, i〉, we define Φi = ΦSi whereSi = ~α ∪~l ∪ L.

Lemma 25 Let 〈C, I, ~α,~l, τ, φ,+, i〉 be a normal positive instantiation context. If ~α ∪ ~l ⊆ S′ andφ(S′) ⊆ S, then CIS ` φ(CIS′), where

φ(l) =

φ(l) l ∈ ~αl l ∈ ~l ∪ L⊔φ(Φi(l)) otherwise

Proof: Suppose {l′1 ≤ l′2} ∈ φ(CIS′). Then there are l1, l2 ∈ S′ such that {l1 ≤ l2} ∈ CIS′ , whereφ(l1) = l′1 and φ(l2) = l′2, and thus CI ` l1 ≤ l2 by Lemma 22. Notice we can assume l1 6= l2,since otherwise the proof is trivial. We can also assume without loss of generality that neither l1nor l2 is a join, because if it is, we can use [LubL] and [LubR] to reduce the inequality to a set ofinequalities among labels, as in Lemma 22. So then we need to show CIS ` l′1 ≤ l′2. There are ninepossible cases, depending on where each of l ∈ {l1, l2} appears:

1. l ∈ ~l ∪ L, and so φ(l) = l

35

2. l ∈ ~α, and so φ(l) = φ(l) (this is disjoint from the first case since the instantiation context isnormal)

3. otherwise φ(l) =⊔φ(Φi(l))

We proceed by case analysis.

1. l1 ∈ ~l ∪ L and l′1 = φ(l1) = l1. The cases for l2 are:

(a) l2 ∈ ~l ∪ L and l′2 = φ(l2) = l2. Then since CI ` l1 ≤ l2 and l′i = li, we have CI ` l′1 ≤ l2.And since φ(S′) ⊆ S, we have l′1, l

′2 ∈ S. Thus CIS ` l′1 ≤ l′2.

(b) l2 ∈ ~α and l′2 = φ(l2) = φ(l2). Then since the instantiation context is normal, we haveC Bp~α τ . Then by Lemma 24 we have CI Bp~α τ . But then since CI ` l1 ≤ l2 and l2 ∈ ~α,we know l2 has polarity p in τ . Then since l2 6∈ ~l, by Lemma 17 we have I ` l2 �i+ φ(l2),since p ·p = + and in the instantiation D = ∅. Since the instantiation context is normal,we either have l1 ∈ ~l or l1 ∈ L, all of which imply I ` l1 �i± l1 (the former by [Inst] or[Pack], and the latter by [Constant]). Then by [Match], we have

[Match]I ` l1 �i− φ(l1) I;C ` l1 m l2 I ` l2 �i+ φ(l2)

I;C ` φ(l1) m φ(l2)

and so CI ` l′1 ≤ l′2. Since φ(S′) ⊆ S, we have l′1, l′2 ∈ S. Thus CIS ` l′1 ≤ l′2.

(c) Otherwise l′2 = φ(l2) =⊔φ(Φi(l2)) Then since CI ` l1 ≤ l2 and either l1 ∈ ~l, or l1 ∈ L,

we have l1 ∈ Φi(l2). Since φ(l1) = l1, we have l1 ∈ φ(Φi(l2)). But then from [LubR],we get CI ` l1 ≤ φ(l2) =

⊔φ(Φi(l2)). And since φ(S′) ⊆ S, we have l′1 ∈ S and thus

CIS ` l′1 ≤ l′2.

2. l1 ∈ ~α. Then l′1 = φ(l1) = φ(l1). The cases for l2 are:

(a) l2 ∈ ~l ∪L and φ(l2) = l2. This is analogous to case 1(b). Since the instantiation contextis normal, we have CBp~α τ . Then by Lemma 24, we have CIBp~α τ . But since CI ` l1 ≤ l2and l1 ∈ ~α, we know that l1 has polarity p in τ . Then since l1 6∈ ~l, Then by Lemma 17,we have I ` l1 �i− φ(l1), since p · p = − and in the instantiation D = ∅. Since theinstantiation context is normal and either l2 ∈ ~l or l2 ∈ L, we also have I ` l2 �i± l2.Then by [Match], we have

[Match]I ` l1 �i− φ(l1) I;C ` l1 m l2 I ` l2 �i+ φ(l2)

I;C ` φ(l1) m φ(l2)

and so CI ` l′1 ≤ l′2. And since φ(S′) ⊆ S, we have l′1, l′2 ∈ S. Thus CIS ` l′1 ≤ l′2.

(b) l2 ∈ ~α and φ(l2) = φ(l2). As in 2(a) above, we have CI Bp~α τ . Since CI ` l1 ≤ l2, l1 ∈ ~α,l1 6∈ ~l, and l2 ∈ ~α, we know that l1 has polarity p in τ and l2 has polarity p in τ , and inthe instantiation D = ∅. Then by Lemma 17, we have I ` l1 �i− l′1 and I ` l2 �i+ l′2.Then we have

[Match]I ` l1 �i− φ(l1) I;C ` l1 m l2 I ` l2 �i+ φ(l2)

I;C ` φ(l1) m φ(l2)

so CI ` l′1 ≤ l′2. And since φ(S′) ⊆ S, we have l′1, l′2 ∈ S. Thus CIS ` l′1 ≤ l′2.

36

(c) Otherwise l′2 = φ(l2) =⊔φ(Φi(l2)). Then since CI ` l1 ≤ l2 and l1 ∈ ~α, we have l1 ∈

Φi(l2). So then l′1 = φ(l1) ∈ φ(Φi(l2)). Then from [LubR] we have CI ` l′1 ≤⊔φ(Φi(l2)).

And since φ(S′) ⊆ S, we have l′1 ∈ S. Therefore CIS ` l′1 ≤ l′2.

3. Otherwise, l′1 = φ(l1) =⊔φ(Φi(l1)). The cases for l2 are:

(a) l2 ∈ ~l ∪ L and φ(l2) = φ(l2) = l2. Then since CI ` l1 ≤ l2, we have CI ` l′ ≤ l2 for alll′ ∈ Φi(l1) (and l′ ∈ S′ by assumption) by [Trans] and [LubL] in Figure 14. Moreover,for each l′ ∈ Φi(l1), there are two cases.

i. l′ ∈ ~l ∪ L. Apply case 1(a) to show CIS ` φ(l′) ≤ l′2.

ii. l′ ∈ ~α. Apply case 2(a) to show CIS ` φ(l′) ≤ l′2.

Thus for all l′ ∈ Φi(l1), we have CIS ` φ(l′) ≤ l′2. Then by [LubL], we have CIS `⊔φ(Φi(l1)) ≤ φ(l2), or CIS ` l′1 ≤ l′2.

(b) l2 ∈ ~α and φ(l2) = φ(l2). Since CI ` l1 ≤ l2, we have CI ` l′ ≤ l2 for all l′ ∈ Φi(l1)by [Trans] (and l′ ∈ S′ by assumption). For each l′ ∈ Φi(l1), there are two cases. Ifl′ ∈ ~l ∪ L, apply case 1(b) to show CIS ` φ(l′) ≤ l′2. If l′ ∈ ~α, apply case 2(b) to showCIS ` φ(l′) ≤ l′2. Then by [LubL] as before, CIS ` l′1 ≤ l′2.

(c) Otherwise l′2 = φ(l2) =⊔φ(Φi(l2)). Then since CI ` l1 ≤ l2, we have CI ` l′ ≤ l2 for all

l′ ∈ Φi(l1) by [Trans]. But then Φi(l1) ⊆ Φi(l2) ⊆ S′. Therefore φ(Φi(l1)) ⊆ φ(Φi(l2)) ⊆S. Then by [LubR] we have CI ` l′ ≤ (

⊔φ(Φi(l2))) for all l′ ∈ φ(Φi(l1)), and so by

[LubL] we have CI ` (⊔φ(Φi(l1))) ≤ (

⊔φ(Φi(l2))). Since φ(Φi(l1)) ⊆ φ(Φi(l2)) ⊆ S, we

have CIS ` l′1 ≤ l′2.

�

Definition 26 A negative instantiation context 〈C, I, ~α, τ, φ,−, i〉 is normal if

1. I; ∅ ` τ �ip τ ′ : φ

2. C B−~α τ

3. fl(τ ′) ∩ ~α = ∅

4. I is normal

Next we define a notion of a normal CFL derivation, which intuitively is one that correspondsdirectly to a derivation in Copy.

Definition 27 (Normal CFL derivation) A CFL derivation D is normal if

1. Every instantiation context InstCtx(i,D) is normal

2. For all universal types (∀~α.τ,~l), it is the case that ~α = fl(τ) \~l.

3. For all existential types ∃~l~α.τ l, it is the case that CI~αB−~α τ , i.e., the constraint sets in translated

existential types are always negatively polarized with respect to the base type.

4. All polymorphic types created in [Let] and [Pack] have distinct bound labels ~α.

37

5. For every two sub-derivations D1, D2 in D, where D1 is not a part of D2 and conversely, theonly common labels between D1 and D2 are in the Γ assumptions and concluding types of D1

and D2.

Notice that every sub-derivation of a normal CFL derivation is normal.

Lemma 28 If I;C; Γ `CFL e : τ , then there exists a normal CFL derivation I ′;C ′; Γ `CFL e : τ .

Proof: We walk through the conditions. Satisfying conditions 4 and 5 is a matter of picking freshlabels wherever possible. Condition 2 is satisfied by construction of [Let] and [Fix]. And condition 1follows by reasoning similar to [9]. Observe that reasoning similar to Lemma 33 below shows thatC Bp~α τ at uses of [Pack].

The only tricky condition to show is 3. We sketch the proof. Consider the constraints generatedin the e2 sub-derivation portion of [Unpack]:

I;C; Γ, x : τ `CFL e2 : τ ′

Within the body of e2, we can assume that [Sub] is always applied after x. Thus for any l ap-pearing positively in τ , we will only generate constraints l ≤ l′, and vice-versa for labels appearingnegatively. Thus the constraints generated in this portion of the derivation are negatively polarizedwith respect to τ and ~α, and so far CI~α B

−~α τ , since transitively closing these constraints does not

affect polarity, and neither does restricting to ~α.Otherwise, suppose we have an application of [Sub] with

C; ∅; ∅ ` ∃l′1 ~α1.τ1 ≤ ∃l′2 ~α2.τ2

Then let li ∈ ~αi be labels in the same positions in τi. Each occurs with the same polarity. Supposethe li appear positively. Then [Sub-Index-2] generates the constraint C ` l1 ≤ l2. Clearly we haveviolated the polarity restriction for l2 in C. However, observe that in CI~α2

, we have that l1 is thejoin of no elements, and this holds transitively even with more applications of [Sub], since theycan only add lower bounds to l2 that do not appear in ~α2. (Only [Unpack] can add constraints inthe other direction, and once we unpack something we cannot re-pack it in the same scope). Thusthis constraint is vacuous, and we ignore it for computing polarities. (If we did not ignore theseconstraints, then [LubL] would allow us to put any label on the right hand side of a constraint,in any constraint system.) Similarly, if the li appear negatively, [Sub] generates the constraintC ` l2 ≤ l1, but in CI~α2

, we have that l1 is the join of some elements including l2, which is againvacuous, and more applications of [Sub] can only add upper bounds to l2 that do not appear in ~α2.

Otherwise, suppose we have an application of [Inst] with

I; ∅ ` ∃l′1~α.τ1 �i+ ∃l′2~α.τ2

Then [Inst-Index-2] generates no constraints, and reasoning about the type ∃l′1~α.τ1 shows thatpositively occurring labels in τ1 can only have lower bounds and negatively occurring labels canonly have upper bounds.

Finally, otherwise suppose we have an application of [Pack] with

I; ∅ ` ∃l′2~α.τ2 �i− ∃l′1~α.τ1

Then [Inst-Index-2] generates no constraints, and reasoning about the type ∃l′1~α.τ1 shows thatpositively occurring labels in τ1 can only have upper bounds and negatively occurring labels canonly have lower bounds.

The cases of uses of [Sub], [Pack], and [Inst] deeper in a type are similar.

38

ΨC,I(intl) = intl

ΨC,I(τ1 →l τ2) = ΨC,I(τ1)→l ΨC,I(τ2)ΨC,I(τ1 ×l τ2) = ΨC,I(τ1)×l ΨC,I(τ2)

ΨC,I(∃l~α.τ ) = ∃l~α[CI~α].(ΨC,I(τ))ΨC,I(Γ, f : (∀~α.τ,~l)) = ΨC,I(Γ), f : ∀~α[CI

(~α∪~l)].(ΨC,I(τ))

ΨC,I(Γ, x : τ) = ΨC,I(Γ), (ΨC,I(τ))

Figure 16: Translation from CFL types to Copy types

�

Finally, we can prove that for every normal CFL derivation, there exists an equivalent Copy

derivation. Intuitively, a program type checks under CFL constraints I and C, then it shouldtype check under Copy with constraints CI (this turns out not quite to work; see below). Whentranslating the derivation, we also need to choose the constraint systems for polymorphic Copy

types, and these systems are implicit in CFL. Rehof, Fahndrich, and Das [9] choose CI as theconstraint system for all polymorphic types. However, this does not work in our system, becauseexistentials are higher-order. We could translate the type (∀~α.(∃l′ ~α′.τ),~l) to ∀~β[CI ].(∃l′ ~β′[CI ].τ),but when we instantiate the latter, the instantiation might cause substitutions on some of thevariables in the CI of the existential type. Instead, for existentials, we put in a subset of CI thatis restricted to the bound labels in the type. By construction of the CFL system, these boundlabels can never mix with free labels. Similarly, for universal types, we plug in CI restrictedto the bound labels and the free labels of the universal; for universals, free labels do not causeproblems, because they are not first-class. Figure 16 defines a translation function ΨC,I that takesCopy types and transforms them to CFL types. For an existential ∃l~α.τ , we choose as the Copy

constraints CI~α. The strong hypothesis in [Unpack] in Figure 10 guarantees that this is safe, becausequantified labels can never mix with non-quantified labels. For universal types, on the other hand,we allow quantified types to be constrained by non-quantified types, and thus for a type (∀~α.τ,~l))we choose the constraints CI

(~α∪~l). Intuitively, these are exactly the labels that “matter” to a caller

of the quantified type—those that are bound in the type and those that may be free in the type.Any other labels (for example, intermediate labels constructed in the function body) are irrelevantexcept for their effects on ~α and ~l.

Lemma 29 For any substitution φ, we have φ(ΨC,I(τ)) = ΨC,I(φ(τ)).

Proof: By induction on the definition of ΨC,I . The interesting cases are existentials and univer-sals. Letting φ′(l) = l for l ∈ ~α and φ′(l) = φ(l) otherwise, we have

φ(ΨC,I(∃l~α.τ )) = φ(∃l~α[CI~α].(ΨC,I(τ)))= ∃φ(l)~α[φ′(CI~α)].φ′(ΨC,I(τ)))= ∃φ(l)~α[CI~α].φ′(ΨC,I(τ))) by definition of φ′

= ∃φ(l)~α[CI~α].ΨC,I(φ′(τ))) by induction= ΨC,I(φ(∃l~α.τ ))

�

Lemma 30 For any set S, we have ψ(fl(Γ)∪S)(ΨC,I(Γ)) = ΨC,I(Γ).

39

Proof: The proof is by induction. Let ψ = ψ(fl(Γ)∪S). For regular types τ in the range of Γ, wehave ψ(ΨC,I(τ)) = ΨC,I(ψ(τ)) by Lemma 29. But since τ is in the range of Γ, ψ(τ) = τ .

For universals, let ψ′(l) = l for l ∈ ~α and ψ′(l) = ψ(l) otherwise, and then we have

ψ(ΨC,I((∀~α.τ,~l))) = ψ(∀~α[CI(~α∪~l)

].(ΨC,I(τ)))

= ∀~α[ψ′(CI(~α∪~l)

)].ψ′(ΨC,I(τ))

= ∀~α[CI(~α∪~l)

].ψ′(ΨC,I(τ)) Since ~l ∈ fl(Γ)

= ∀~α[CI(~α∪~l)

].ΨC,I(ψ′(τ)) by Lemma 29

= ΨC,I(ψ((∀~α.τ,~l)))

�

Lemma 31 fl(ΨC,I(τ)) = fl(τ)

Proof: By induction on the definition of ΨC,I . The only interesting case is ΨC,I(∃l~α.τ ) =∃l~α[CI~α].(ΨC,I(τ)). By induction, we have fl(ΨC,I(τ)) = fl(τ). Then observe that fl(CI~α) = ~α. Thusfl(∃l~α[CI~α].(ΨC,I(τ))) = {l}∪((fl(ΨC,I(τ))∪fl(CI~α))\~α) = {l}∪((fl(ΨC,I(τ))\~α) = {l}∪(fl(τ)\~α) =fl(∃l~α.τ ).

�

Lemma 32 Given types from a normal derivation, fl(ΨC,I(Γ)) ⊆ fl(Γ).

Proof: The interesting case (ignoring the environment and focusing on the ∀ type) is ΨC,I((∀~α.τ,~l)) =∀~α[CI

(~α∪~l)].(ΨC,I(τ)). Since the derivation is normal, ~α = fl(τ) \~l. Thus

fl(∀~α[CI(~α∪~l)

].(ΨC,I(τ))) =(

fl(CI(~α∪~l)

) ∪ fl(ΨC,I(τ)))\ ~α

⊆(~α ∪~l ∪ fl(τ)

)\ ~α

= ~l ∪ (fl(τ) \ ~α)= fl((∀~α.τ,~l))

�

Lemma 33 Given a type ∃l~α.τ from a normal CFL derivation, we have CI~αB−~α τ , i.e., the constraint

sets in translated existential types are always negatively polarized with respect to the base type.

Proof:

�

Lemma 34 Let 〈C, I, ~α, τ, φ,−, i〉 be a negative instantiation context in a normal CFL derivation.If ~α ⊆ S′ and φ(S′) ⊆ S, then CIS ` φ(CIS′), where

φ(l) =

φ(l) l ∈ ~αl l ∈ L⊔φ(Φi(l)) otherwise

40

Proof: The proof is the same as in Lemma 25, observing that all l ∈ ~α only appear on theleft-hand side of an instantiation constraint, by [Inst-Index-2] and assumption that the derivationis normal.

�

In order to translate subtyping derivations, we also need to translate the D from Figure 11 intothe D of Figure 7. We define ΨC,I(∅) = ∅, and ΨC,I(D⊕ ~α) = (ΨC,I(D))[l 7→ ΨC,I(D) + 1,∀l ∈ ~α].

Lemma 35 If C;D;D ` l ≤ l′ then CI(l,l′); ΨC,I(D) `cp l ≤ l′.

Proof: By induction on C;D;D ` l ≤ l′.Case [Sub-Index-1]. We have

[Sub-Index-1 (CFL)]C ` l ≤ l′

C; ∅; ∅ ` l ≤ l′

Then since ΨC,I(∅) = ∅ and ∅(l) = ∅(l′) = 0, we have

[Sub-Label-1 (Copy)]

(ΨC,I(D))(l) = (ΨC,I(D))(l′) = 0CI(l,l′) ` l ≤ l

′

CI(l,l′); ΨC,I(D) `cp l ≤ l′

Case [Sub-Index-2]. We have

[Sub-Index-2 (CFL)]C ` lj ≤ lj

C;D ⊕ {l1, . . . , ln};D ⊕ {l1, . . . , ln} ` lj ≤ lj

Notice that by assumption bothDi’s must be the same. Also, notice that ΨC,I(D⊕{l1, . . . , ln})(lj) >0 by definition.

[Sub-Label-2 (Copy)](ΨC,I(D ⊕ {l1, . . . , ln}))(l) > 0

CI(lj); ΨC,I(D ⊕ {l1, . . . , ln}) `cp lj ≤ lj

Case [Sub-Index-3]. We have

[Sub-Index-3 (CFL)]C;D;D ` l ≤ l′ l 6= li l′ 6= lj ∀i, j ∈ [1..n]

C;D ⊕ {l1, . . . , ln};D ⊕ {l1, . . . , ln} ` l ≤ l′

By induction, CI(l,l′); ΨC,I(D) `cp l ≤ l′. Let ~α = {l1, . . . , ln}. Then since l, l′ 6= li for any i, we have(ΨC,I(D⊕ ~α))(l) = (ΨC,I(D))(l) and (ΨC,I(D⊕ ~α))(l′) = (ΨC,I(D))(l′). Then there are two cases:

1. If CI(l,l′); ΨC,I(D) `cp l ≤ l′ by [Sub-Label-1 (Copy)], then (ΨC,I(D))(l) = (ΨC,I(D))(l′) = 0.But then (ΨC,I(D ⊕ ~α)(l) = (ΨC,I(D ⊕ ~α)(l′) = 0, so we have

[Sub-Label-1 (Copy)]

(ΨC,I(D ⊕ ~α))(l) = (ΨC,I(D ⊕ ~α))(l′) = 0CI(l,l′) ` l ≤ l

′

CI(l,l′); ΨC,I(D ⊕ ~α) `cp l ≤ l′

41

2. If CI(l,l′); ΨC,I(D) `cp l ≤ l′ by [Sub-Label-2 (Copy)], then (ΨC,I(D))(l) > 0 and l = l′, andtherefore (ΨC,I(D ⊕ ~α))(l) > 0, and so we have

[Sub-Label-2 (Copy)](ΨC,I(D ⊕ ~α))(l) > 0

CI(l,l′); ΨC,I(D ⊕ ~α) `cp l ≤ l′

�

Lemma 36 (Subtyping reduction from CFL to Copy) Let D be a normal CFL derivationof C;D;D ` τ ≤ τ ′. Then CI(τ,τ ′); ΨC,I(D) `cp ΨC,I(τ) ≤ ΨC,I(τ ′).

Proof: By induction on the given CFL derivation.Case [Sub-Int]. We have

[Sub-Int (CFL)]C;D;D ` l ≤ l′

C;D;D ` intl ≤ intl′

Then by Lemma 35 we have CI(l,l′); ΨC,I(D) `cp l ≤ l′. But then we have

[Sub-Int (Copy)]CI(l,l′); ΨC,I(D) `cp l ≤ l′

CI(l,l′); ΨC,I(D) `cp intl ≤ intl′

Case [Sub-Pair], [Sub-Fun]. By induction, using Lemma 35 and the definition of ΨC,I .

Case [Sub-∃]. We have

[Sub-∃]

D1 = D ⊕ ~α1 D2 = D ⊕ ~α2

C;D1;D2 ` τ1 ≤ τ2 C;D;D ` l1 ≤ l2C;D;D ` ∃l1 ~α1.τ1 ≤ ∃l2 ~α2.τ2

Let T = {l1, l2}∪(fl(τ1)\ ~α1)∪(fl(τ2)\ ~α2). Let φ be an alpha-renaming such that φ( ~α2) = ~α1. Thisis always well-defined by the assumption that the derivation is normal and by the subtyping rules ofFigure 11. Then φ(D2) = D1, and thus since C;D1;D2 ` τ1 ≤ τ2, we have C;D1;D1 ` τ1 ≤ φ(τ2).Then by induction we have CI(τ1,φ(τ2)); ΨC,I(D1) `cp ΨC,I(τ1) ≤ ΨC,I(φ(τ2)). But notice thatby [Sub-Label-2] in Figure 7, no (nontrivial) constraints between variables in ΨC,I(D1) are evergenerated. Thus we have CI((τ1,φ(τ2))\ ~α1); ΨC,I(D1) `cp ΨC,I(τ1) ≤ ΨC,I(φ(τ2)). Notice that bydefinition of φ, we have

((fl(τ1) \ ~α1) ∪ (fl(τ2) \ ~α2)) = ((fl(τ1) \ ~α1) ∪ (φ(fl(τ2)) \ ~α1))

And thus by Lemmas 22 and 29 we have CIT ; ΨC,I(D1) `cp ΨC,I(τ1) ≤ φ(ΨC,I(τ2)).Also by Lemmas 35 and 22 we have CIT ,ΨC,I(D) ` l1 ≤ l2.We need to show that CI~α1

` φ(CI~α2). Since the derivation is normal, we have CI~α2

B−~α2τ2.

Observe that by the subtyping rules in Figure 11, for label l ∈ ~α2, if l has polarity + in τ2 thenφ(l) ≤ l, and if l has polarity − in τ2 then l ≤ φ(l).

42

Pick a label l ∈ ~α2. Suppose that CI~α2` l′ ≤ l. Then by definition, l has polarity − in τ2. Thus

l ≤ φ(l). By construction, l′ is a join of the constants and labels in ~α2, and by [LubL], we have thatfor all labels l′′ ∈ l′ we have CI~α2

` l′′ ≤ l′. Then l′′ has polarity + in τ2, and thus φ(l′′) ≤ l′′. Butthen CI ` φ(l′′) ≤ φ(l). And since this holds for all l′′ ∈ l′, by [LubL] we have CI~α1

` φ(l′′) ≤ φ(l),since φ(l′′), φ(l) ∈ ~α1.

Similarly, Suppose that CI~α2` l ≤ l′. Then by definition, l has polarity + in τ2, and hence

φ(l) ≤ l. By construction, l′ is a join of the constants and labels in ~α2. There are two cases. IfCI~α2

` l ≤ (l t S) by [LubR] for some set S, there is nothing to prove, since by [LubR] we haveCI~α1

` φ(l) ≤ (φ(l) t φ(S)). Otherwise, we have CI~α2` l ≤ l′′ for some l′ ∈ ~α2. Then l′′ has

polarity − in τ2, and thus l′′ ≤ φ(l′′). Then CI ` φ(l) ≤ φ(l′′), and thus CI~α1` φ(l) ≤ φ(l′′), since

φ(l), φ(l′′) ∈ ~α1.Thus we have CI~α1

` φ(CI~α2). Notice that there is not requirement that these constraints are

part of CIT , which follows the Copy system pattern that constraints on existential types do not“leak” out to the outer constraint context upon subtyping them.

Finally, by alpha-conversion we have ∃l2 ~α2[CI~α2].τ2 = ∃l2φ( ~α2)[φ(CI~α2

)].φ(τ2)Thus we have

[Sub-∃]

CI~α1` φ(CI~α2

)D1 = (ΨC,I(D))[l 7→ (ΨC,I(D))(l) + 1,∀l ∈ ~α1]

CIT ;D1 ` ΨC,I(τ1) ≤ φ(ΨC,I(τ2))CIT ; ΨC,I(D) ` l1 ≤ l2

CIT ; ΨC,I(D) ` ∃l1 ~α1[CI~α1].ΨC,I(τ1) ≤ ∃l2 ~α2[CI~α2

].ΨC,I(τ2)

�

Theorem 37 (Reduction from CFL to Copy) Let D be a normal CFL derivation of I;C; Γ `CFLe : τ . Then CI(fl(Γ)∪fl(τ)); ΨC,I(Γ) `cp e : ΨC,I(τ).

Proof: By induction on the given CFL derivation. As a shorthand notation in the proof, wedefine CIΓ as CIfl(Γ), C

Iτ as CIfl(τ), and we use commas in place of unions when subscripting.

Case [Id]. We have[Id (CFL)]

I;C; Γ, x : τ `CFL x : τ

Thus trivially[Id (Copy)]

CI(Γ,τ); ΨC,I(Γ), x : ΨC,I(τ) `cp x : ΨC,I(τ)

Case [Int]. We have

[Int (CFL)]C ` L ≤ l

I;C; Γ `CFL nL : intl

Then since C ` L ≤ l and l ∈ fl(intl) = {l} we have CI(Γ,l) ` L ≤ l. Thus

[Int (Copy)]CI(Γ,l) ` L ≤ l

CI(Γ,l); ΨC,I(Γ) `cp nL : intl

43

and ΨC,I(intl) = intl.

Case [Lam]. We have

[Lam (CFL)]I;C; Γ, x : τ `CFL e : τ ′ C ` L ≤ l

I;C; Γ `CFL λLx.e : τ →l τ ′

Then since l ∈ fl(τ →l τ ′) we have CI(Γ,τ,τ ′,l) ` L ≤ l. By induction, CI(Γ,τ,τ ′); ΨC,I(Γ), x :ΨC,I(τ) `cp e : ΨC,I(τ ′). Then by Lemmas 22 and 6, we have CI(Γ,τ,τ ′,l); ΨC,I(Γ), x : ΨC,I(τ) `cp e :ΨC,I(τ ′). Thus we have

[Lam (Copy)]CI(Γ,τ,τ ′,l); ΨC,I(Γ), x : ΨC,I(τ) `cp e : ΨC,I(τ ′) CI(Γ,τ,τ ′,l) ` L ≤ l

CI(Γ,τ,τ ′,l); ΨC,I(Γ) `cp λLx.e : ΨC,I(τ)→l ΨC,I(τ ′)

and ΨC,I(τ →l τ ′) = ΨC,I(τ)→l ΨC,I(τ ′).

Case [App]. We have

[App (CFL)]

I;C; Γ `CFL e1 : τ →l τ ′

I;C; Γ `CFL e2 : τC ` l ≤ L

I;C; Γ `CFL e1@Le2 : τ ′

Let ψ = ψ(Γ,τ ′). By induction, CI(Γ,τ,τ ′,l); ΨC,I(Γ) `cp e1 : ΨC,I(τ)→l ΨC,I(τ ′). Then

ψ(CI(Γ,τ,τ ′,l));ψ(ΨC,I(Γ)) `cp e1 : ψ(ΨC,I(τ)→l ΨC,I(τ ′))

But ψ(CI(Γ,τ,τ ′,l)) = CI(Γ,τ ′) and ψ(ΨC,I(Γ)) = ΨC,I(Γ) by Lemma 30. Similarly, ψ(ΨC,I(τ ′)) =ΨC,I(τ ′). Thus

CI(Γ,τ ′),ΨC,I(Γ) `cp e1 : ψ(ΨC,I(τ))→ψ(l) ΨC,I(τ ′)

Also by induction, CI(Γ,τ); ΨC,I(Γ) `cp e2 : ΨC,I(τ), and by similar reasoning and Lemma 22 weget CI(Γ,τ ′); ΨC,I(Γ) `cp e2 : ψ(ΨC,I(τ)).

Finally, since C ` l ≤ L, we have CI(Γ,τ ′) ` ψ(l) ≤ ψ(L) or CI(Γ,τ ′) ` ψ(l) ≤ L.But then we have

[App (Copy)]

CI(Γ,τ ′); ΨC,I(Γ) `cp e1 : ψ(ΨC,I(τ))→ψ(l) ΨC,I(τ ′)CI(Γ,τ ′); ΨC,I(Γ) `cp e2 : ψ(ΨC,I(τ)) CI(Γ,τ ′) ` ψ(l) ≤ L

CI(Γ,τ ′); ΨC,I(Γ) `cp e1@Le2 : ΨC,I(τ ′)

Case [Pair], [Proj], [Cond]. Similar to [App].

Case [Sub]. We have

[Sub (CFL)]I;C; Γ `CFL e : τ C; ∅ ` τ ≤ τ ′

I;C; Γ `CFL e : τ ′

By induction and Lemma 22, we have CI(Γ,τ,τ ′); ΨC,I(Γ) `cp e : ΨC,I(τ). Let ψ = ψ(Γ,τ ′). Then

ψ(CI(Γ,τ,τ ′));ψ(ΨC,I(Γ)) `cp e : ψ(ΨC,I(τ))

44

But by Lemma 30 we have ψ(ΨC,I(Γ)) = ΨC,I(Γ). And ψ(CI(Γ,τ,τ ′)) = CI(Γ,τ ′). Thus we have

CI(Γ,τ ′); ΨC,I(Γ) `cp e : ψ(ΨC,I(τ))

Next, by Lemma 36, we have CI(τ,τ ′) `cp ΨC,I(τ) ≤ ΨC,I(τ ′). Thus by Lemma 22 we haveCI(Γ,τ,τ ′) `cp ΨC,I(τ) ≤ ΨC,I(τ ′) Then

ψ(CI(Γ,τ,τ ′)) `cp ψ(ΨC,I(τ)) ≤ ψ(ΨC,I(τ ′))

But ψ(ΨC,I(τ ′)) = ΨC,I(ψ(τ ′)) by Lemma 29, and ΨC,I(ψ(τ ′)) = ΨC,I(τ ′) by definition of ψ. Andψ(CI(Γ,τ,τ ′)) = CI(Γ,τ ′). Thus by Lemma 22 we have

CI(Γ,τ ′) `cp ψ(ΨC,I(τ)) ≤ ΨC,I(τ ′)

Then we have

[Sub (Copy)]

CI(Γ,τ ′); ΨC,I(Γ) `cp e : ψ(ΨC,I(τ))CI(Γ,τ ′); ∅ `cp ψ(ΨC,I(τ)) ≤ ΨC,I(τ ′)

CI(Γ,τ ′); ΨC,I(Γ) `cp e : ΨC,I(τ ′)

Case [Let]. We have

[Let (CFL)]

I;C; Γ `CFL e1 : τ1 I;C; Γ, f : (∀~α.τ1,~l) `CFL e2 : τ2

~α = fl(τ1) \~l ~l = fl(Γ)I;C; Γ `CFL let f = e1 in e2 : τ2

By induction, we have CI(Γ,τ1); ΨC,I(Γ) `cp e1 : ΨC,I(τ1). But ~l = fl(Γ), and ~α = fl(τ1) \ ~l. Thus

fl(Γ) ∪ fl(τ1) = ~α ∪~l. Therefore CI(~α,~l)

; ΨC,I(Γ) `cp e1 : ΨC,I(τ1).

Then since ~l = fl(Γ), by induction we also have CI(Γ,τ2); ΨC,I(Γcp), f : ∀~α[CI(~α,~l)

].(ΨC,I(τ1)) `cpe2 : ΨC,I(τ2).

Finally, by Lemma 31 we have fl(ΨC,I(τ1)) = fl(τ1), and by Lemma 32 we have fl(ΨC,I(Γ)) ⊆fl(Γ). Thus

~α = fl(τ1) \~l ⊆(fl(ΨC,I(τ1)) ∪ fl(CI

(~α,~l))))\ fl(ΨC,I(Γ))

Therefore we can apply [Let] rule of the Copy system to prove

[Let (Copy)]

CI(~α,~l)

; ΨC,I(Γ) `cp e1 : ΨC,I(τ1)

CI(Γ,τ2); ΨC,I(Γcp), f : ∀~α[CI(~α,~l)

].(ΨC,I(τ1)) `cp e2 : ΨC,I(τ2)

~α ⊆(fl(ΨC,I(τ1)) ∪ fl(CI

(~α,~l))))\ fl(ΨC,I(Γ))

CI(Γ,τ2); ΨC,I(Γ) `cp let f = e1 in e2 : ΨC,I(τ2)

Case [Fix]. Similar to [Let] and [Inst]

Case [Inst]. We have

[Inst (CFL)]

I;C; ∅ ` τ �i+ τ ′ : φdom(φ) = ~α I ` ~l �i+ ~l I ` ~l �i− ~l

I;C; Γ, f : (∀~α.τ,~l) `CFL f i : τ ′

45

By definition ΨC,I((∀~α.τ,~l)) = ∀~α[CI(~α,~l)

].(ΨC,I(τ)). Notice that ~l is the set of free labels at the point

where f was bound by [Let] or [Fix], and that this use of [Inst] is nested inside that derivation. Thus~l ⊆ fl(Γ), and by [Inst (CFL)] we have φ(~l) = ~l. Further, since φ(τ) = τ ′ we have φ(~α) ⊆ fl(τ ′).Thus φ(~α ∪~l) ⊆ fl(τ ′) ∪ fl(Γ). Then by Lemma 25, we have CI(Γ,τ ′) ` φ(CI

(~α,~l)).

Thus we can apply the [Inst] rule of Copy:

[Inst (Copy)]

CI(Γ,τ ′) ` φ(CI(~α,~l)

)

CI(Γ,τ ′); ΨC,I(Γ), f : ∀~α[CI(~α,~l)

].(ΨC,I(τ)) `cp f i : φ(ΨC,I(τ))

Finally, by Lemma 29 we have φ(ΨC,I(τ)) = ΨC,I(φ(τ)) = ΨC,I(τ ′),

Case [Pack]. We have

[Pack (CFL)]

I;C; Γ `CFL e : τ ′ I;C; ∅ ` τ �i− τ ′ : φdom(φ) = ~α C ` L ≤ lI;C; Γ `CFL packL,i e : ∃l~α.τ

Since C ` L ≤ l we have CI(Γ,l,τ ′) ` L ≤ l. By definition ΨC,I(∃l~α.τ ) = ∃l~α[CI~α].(ΨC,I(τ)).By induction and Lemma 22 we have CI(Γ,l,τ ′),ΨC,I(Γ) ` e : ΨC,I(τ ′). But φ(τ) = τ ′, so byLemma 29 we have ΨC,I(τ ′) = φ(ΨC,I(τ)). Also, since the instantiation context is normal, andsince φ(~α) ⊆ fl(τ ′), by Lemma 34 we have CI(Γ,l,τ ′) ` φ(CI~α). Putting this together yields

[Pack (Copy)]

CI(Γ,l,τ ′); ΨC,I(Γ) `cp e : φ(ΨC,I(τ)) CI(Γ,l,τ ′) ` φ(CI~α)CI(Γ,l,τ ′) ` L ≤ l

CI(Γ,l,τ ′); ΨC,I(Γ) `cp packL,i e : ∃l~α[CI~α].(ΨC,I(τ))

Let ψ = ψ(Γ,l,(τ\~α)). Then we have

ψ(CI(Γ,l,τ ′));ψ(ΨC,I(Γ)) `cp packL,i e : ψ(∃l~α[CI~α].(ΨC,I(τ)))

Notice that fl(τ) \ ~α ⊆ fl(τ ′). Then ψ(CI(Γ,l,τ ′)) = CI(Γ,l,(τ\~α)). And by Lemma 30 we haveψ(ΨC,I(Γ)) = ΨC,I(Γ). Finally, ψ(∃l~α[CI~α].(ΨC,I(τ))) = ∃l~α[CI~α].(ΨC,I(τ)), since ψ(l) = l by def-inition, all the labels in CI~α are bound, and since fl(ΨC,I(τ)) = fl(τ) by Lemma 31 and the onlyunbound labels of τ are those in fl(τ) \ ~α, which ψ does not affect by definition. Thus

CI(Γ,l,(τ\~α)); ΨC,I(Γ) `cp packL,i e : ∃l~α[CI~α].(ΨC,I(τ))

Case [Unpack]. We have

[Unpack (CFL)]

I;C; Γ `CFL e1 : ∃l~α.τ I;C; Γ, x : τ `CFL e2 : τ ′~l = fl(Γ) ∪ (fl(τ) \ ~α) ∪ fl(τ ′) ∪ L ~α ⊆ fl(τ) \~l C ` l ≤ L

∀l ∈ ~α, l′ ∈ ~l.(I;C 6 `l m l′ and I;C 6 `l′ m l)

I;C; Γ `CFL unpackL x = e1 in e2 : τ ′

46

By induction and Lemma 5, we have CI(Γ,l,(τ\~α),τ ′); ΨC,I(Γ) ` e1 : ∃l~α[CI~α].ΨC,I(τ) Let ψ =ψ(Γ,τ ′). Then we have

ψ(CI(Γ,l,(τ\~α),τ ′));ψ(ΨC,I(Γ)) ` e1 : ψ(∃l~α[CI~α].ΨC,I(τ))

Then by Lemma 30 we have ψ(ΨC,I(Γ)) = ΨC,I(Γ). Also, we have ψ(CI(Γ,l,(τ\~α))) = CI(Γ,τ ′). Finally,

notice that ψ(∃l~α[CI~α].ΨC,I(τ)) = ∃ψ(l)~α[CI~α].ψ′(ΨC,I(τ)), where ψ′(l) = l if l ∈ ~α and ψ′(l) = ψ(l)otherwise. Further, all labels in CI~α are bound. Thus we have

CI(Γ,τ ′); ΨC,I(Γ) ` e1 : ∃ψ(l)~α[CI~α].ψ′(ΨC,I(τ))

Also by induction CI(Γ,τ,τ ′); ΨC,I(Γ), x : ΨC,I(τ) ` e2 : ΨC,I(τ ′). Then we claim

CI(Γ,(τ\~α),τ ′) ∪ CI~α ` C

I(Γ,(τ\~α),~α,τ ′) = CI(Γ,τ,τ ′)

To see why, suppose CI(Γ,τ,(τ\~α),τ ′) ` l ≤ l′. Then without loss of generality, assume l and l′ are labels

rather than joins. If l or l′ is in L, then the result holds trivially. Also, if l, l′ ∈ fl(Γ)∪(fl(τ)\~α)∪fl(τ ′)or l, l′ ∈ ~α, then the result holds trivially. Otherwise, we have I;C ` l m l′ with one of l, l′ infl(Γ)∪ (fl(τ)\~α)∪fl(τ ′) and one in ~α, which is impossible by the last hypothesis of [Unpack]. Thusby Lemma 5 we have

CI(Γ,(τ\~α),τ ′) ∪ CI~α; ΨC,I(Γ), x : ΨC,I(τ) ` e2 : ΨC,I(τ ′)

But then we have

ψ′(CI(Γ,(τ\~α),τ ′) ∪ CI~α);ψ′(ΨC,I(Γ)), x : ψ′(ΨC,I(τ)) ` e2 : ψ′(ΨC,I(τ ′))

ψ′ and ψ only differ on ~α, and by assumption ~α∩~l = ∅. Thus by Lemma 30 we have ψ′(ΨC,I(Γ)) = Γand ψ′(ΨC,I(τ ′)) = ΨC,I(τ ′). Further, ψ′ does not affect ~α, so ψ′(CI(Γ,(τ\~α),τ ′)∪C

I~α) = ψ′(CI(Γ,(τ\~α),τ ′))∪

CI~α. And ψ′(CI(Γ,(τ\~α),τ ′)) = CI(Γ,τ ′), again since ~α ∩~l = ∅. Putting this all together, we have

CI(Γ,τ ′) ∪ CI~α; ΨC,I(Γ), x : ψ′(ΨC,I(τ)) ` e2 : ΨC,I(τ ′)

Finally, since C ` l ≤ L, we have CI(Γ,τ ′) ` ψ(l) ≤ ψ(L) or CI(Γ,τ ′) ` ψ(l) ≤ L. Also, ~α ⊆ fl(τ)\~l.By Lemma 32 we have fl(ΨC,I(Γ)) ⊆ fl(Γ). By Lemma 31 we have fl(ΨC,I(τ ′)) = fl(τ ′). Andfl(CI(Γ,τ ′)) ⊆ fl(Γ) ∪ fl(τ ′). And since ~l ⊇ fl(Γ) ∪ fl(τ ′) we have

~α ⊆(fl(ΨC,I(τ)) ∪ fl(CI~α)

)\(fl(ΨC,I(Γ)) ∪ fl(CI(Γ,τ ′)) ∪ fl(ΨC,I(τ ′))

)Putting these all together, we get

[Unpack (Copy)]

CI(Γ,τ ′); ΨC,I(Γ) `cp e1 : ∃ψ(l)~α[CI~α].ψ′(ΨC,I(τ)) CI(Γ,τ ′) ` ψ(l) ≤ LCI(Γ,τ ′) ∪ C

I~α; ΨC,I(Γ), x : ψ′(ΨC,I(τ)) `cp e2 : ΨC,I(τ ′)

~α ⊆(fl(ΨC,I(τ)) ∪ fl(CI~α)

)\(fl(ΨC,I(Γ)) ∪ fl(CI(Γ,τ ′)) ∪ fl(ΨC,I(τ ′))

)CI(Γ,τ ′); ΨC,I(Γ) `cp unpackL x = e1 in e2 : ΨC,I(τ ′)

�

47